Tpl/crypto: add HMAC support

Hello, I am a big fan of Hugo and I am using it for my personal website and I am happy with it :slight_smile: I want to use Hugo for more projects using external APIs and here is a proposal feature I would like to see implemented (by me or any awesome hugo developer).

I want to use a image resizer engine Images are resized dynamically on the first request and then cached. For security an hmac is required. An HMAC is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key.

<img src="<hmac>

The new feature would be a new template function hmac with 3 args:

  • The hash type (string): md5, sha256
  • The message (string)
  • The key (string)


{{ $key := getenv "KEY"}}
{{ hmac "sha256" "hello, gohugo" $key }}

Please, tell me what do you think of this idea and if I should create a PR.
Thank you

Can you please clarify what you mean here?

Hugo is an “open-source static site generators”, content prepared by Hugo for publishing has no idea of neither first request nor second request.

Images are resized dynamically on the first request and then cached.

Picfit will store and resize images and serve them through a http server.
Hugo will not make any http request. It will juste generate an html page with link to images hosted by my picfit instance.

<img src=""

In order to forbid unknown clients to use the resize engine, an hmac is needed in the url.
I use picfit as example but other services use hmac like cloudimage docs

Seems like a reasonable request. Post this proposal to Github. I notice that you’re missing sha1 in the list of hash functions. hmac should support all hash functions in the tpl/crypto package. :+1:


Thank you, I will post here the github issue once created

Please do.