I sometime need to share posts with selected readers only, for review or private discussion.
This is precisely the objective of the Hugo theme ‘Off The Record’::
“publish a post and invite chosen readers with a private link – while keeping this post hidden from other visitors”.
A demo is available, and the source code is public.
Installation
Note that Hugo extended > 0.82 is required (Posts are not properly hidden with previous Hugo versions).
Download:
git clone --recurse-submodules https://github.com/RoneoOrg/hugo-offtherecord-demo.git
Run:
cd hugo-offtherecord-demo
hugo serve
How to use
Set offTheRecord to true in the
Front Matter of the posts you want to hide.
That’s all!
Example
---
title: "Pending article, for review"
date: 2021-11-22T00:00:03+00:00
offTheRecord: true
---
Update
Update the theme with the following command at the root of your project:
git submodule update --init --recursive --remote
Technical details
Private posts are hidden from:
- the homepage
- the search results
- the RSS feeds
- the archive page
- the sitemap
Search engines are also told not to index these posts.
See the changelog for a commented code tour.
Update June, 28:
External links are now automatically
opened in new tabs with ‘rel noreferrer’, to avoid
leaking referrer information.
Additional features
This theme is based on Papermod, which provides numerous other features:
- 3 different Homepage layouts
- Multilingual support.
- Multiple Author support.
- Light / Dark theme.
- Search page.
- Carefully optimized code.
See the Papermod Documentation for more info
Caveats
This solution should not be considered secured before checking your threat model with these caveats in mind:
- someone could guess the URL of a private post.
- someone could automatically scan your website to discover these secret URLs.
- an attacker could access your Git repo and read private content directly from the source files. You should use a private repo.
The way you share the link matters too. See:
- “ Gmail is opening and caching URLs within emails without user intervention”.
- “ Outlook scans emails arriving in your inbox and sends all found URLs to Bing”
In addition, Internet actors on the way (hosts, DNS and internet providers) will handle references / parts of your page.
Roadmap
What’s left to do:
- Study these similar projects: 1 1b 1c 2 (see the “ unlisted” option)
- Check Hugo “Build Options” for relevant features
- Verify the content of
schema.json - Hide private posts from the
tagspages and from Hugoseries(disabled by default). - Update Papermod Readme and documentation
- Check if hidden posts are counted in Tags pages total
References
- The original idea comes from this post from zwbetz.
- See also this discussion on discourse.gohugo
- Staled Feature request
- Old thread on discourse.gohugo