4 files changed, 71 insertions, 4 deletions

diff --git a/docs/config/_default/security.toml b/docs/config/_default/security.toml
new file mode 100644
index 000000000..73af66164
--- /dev/null
+++ b/docs/config/_default/security.toml
@@ -0,0 +1,13 @@
+
+  enableInlineShortcodes = false
+
+  [exec]
+    allow = ['^go$']
+    osEnv = ['^PATH$']
+
+  [funcs]
+    getenv = ['^HUGO_', '^REPOSITORY_URL$']
+
+  [http]
+    methods = ['(?i)GET|POST']
+    urls = ['.*']
\ No newline at end of file
diff --git a/docs/content/en/about/security-model/index.md b/docs/content/en/about/security-model/index.md
index 7a7841131..aed925d49 100644
--- a/docs/content/en/about/security-model/index.md
+++ b/docs/content/en/about/security-model/index.md
@@ -21,14 +21,29 @@ Hugo produces static output, so once built, the runtime is the browser (assuming
 
 But when developing and building your site, the runtime is the `hugo` executable. Securing a runtime can be [a real challenge](https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/).
 
-**Hugo's main approach is that of sandboxing:**
+**Hugo's main approach is that of sandboxing and a security policy with strict defaults:**
 
 * Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.
 * Only the main project can walk symbolic links.
 * User-defined components have only read-access to the filesystem.
-* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined. General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
+* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined and disabled by default (see [Security Policy](#security-policy)). General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
 
-Hugo will soon introduce a concept of _Content Source Plugins_ (AKA _Pages from Data_), but the above will still hold true.
+
+## Security Policy
+
+{{< new-in "0.91.0" >}}
+
+Hugo has a built-in security policy that restricts access to [os/exec](https://pkg.go.dev/os/exec), remote communication and similar.
+
+The defdault configuration is listed below. And build using features not whitelisted in the security policy will faill with a detailed message about what needs to be done. Most of these settings are whitelists (string or slice, [Regular Expressions](https://pkg.go.dev/regexp) or `none` which matches nothing).
+
+{{< code-toggle config="security" />}}
+
+Note that these and other config settings in Hugo can be overridden by the OS environment. If you want to block all remote HTTP fetching of data:
+
+```
+HUGO_SECURITY_HTTP_URLS=none hugo 
+```
 
 ## Dependency Security
 
diff --git a/docs/content/en/getting-started/configuration.md b/docs/content/en/getting-started/configuration.md
index 0f48c39e3..2123558d9 100644
--- a/docs/content/en/getting-started/configuration.md
+++ b/docs/content/en/getting-started/configuration.md
@@ -381,6 +381,10 @@ Maximum number of items in the RSS feed.
 ### sectionPagesMenu
 See ["Section Menu for Lazy Bloggers"](/templates/menu-templates/#section-menu-for-lazy-bloggers).
 
+### security
+
+See [Security Policy](/about/security-model/#security-policy)
+
 ### sitemap
 Default [sitemap configuration](/templates/sitemap-template/#configure-sitemapxml).
 
diff --git a/docs/data/docs.json b/docs/data/docs.json
index 70a2eafb4..8f8950dc4 100644
--- a/docs/data/docs.json
+++ b/docs/data/docs.json
@@ -1775,9 +1775,15 @@
       "permalinks": {
         "_merge": "none"
       },
+      "privacy": {
+        "_merge": "none"
+      },
       "related": {
         "_merge": "none"
       },
+      "security": {
+        "_merge": "none"
+      },
       "sitemap": {
         "_merge": "none"
       },
@@ -1822,6 +1828,32 @@
           "keepWhitespace": false
         }
       }
+    },
+    "security": {
+      "enableInlineShortcodes": false,
+      "exec": {
+        "allow": [
+          "^go$",
+          "^npx$",
+          "^postcss$"
+        ],
+        "osEnv": [
+          "(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"
+        ]
+      },
+      "funcs": {
+        "getenv": [
+          "^HUGO_"
+        ]
+      },
+      "http": {
+        "methods": [
+          "(?i)GET|POST"
+        ],
+        "urls": [
+          ".*"
+        ]
+      }
     }
   },
   "media": {
@@ -1966,7 +1998,10 @@
         "string": "image/jpeg",
         "suffixes": [
           "jpg",
-          "jpeg"
+          "jpeg",
+          "jpe",
+          "jif",
+          "jfif"
         ]
       },
       {