Hugo's livereload WebSocket endpoint accepts upgrade requests that omit the Origin header — any local process or non-browser client can read the file-change event stream. A second gap allows X-Forwarded-Host to override the Host comparison.
My mail inbox is busier these days reports from AI driven security researchers. To try to prevent future duplicates, I will register these with a description and my initial threat evaluation.
My take on the above:
- The "file-change event stream" is a stream of information of path's on the file server that has changed and needs to be refreshed. There's no secret information to be found here.
- If you still think this is an issue, you can opt out of this with
hugo server --disableLiveReload.
My mail inbox is busier these days reports from AI driven security researchers. To try to prevent future duplicates, I will register these with a description and my initial threat evaluation.
My take on the above:
hugo server --disableLiveReload.