JAMstack Static Sites on Tor Hidden Services: Build and Deploy

Static sites eliminate the primary attack vectors of dynamic web applications: no database to attack, no server-side code execution, no application framework vulnerabilities, and no authentication endpoints to brute-force. The attack surface is reduced to: Nginx configuration, the static files themselves (content injection if files are modified), and the server operating system. Static sites handle traffic spikes gracefully (serving pre-built HTML is very fast and requires minimal CPU). For content-focused hidden services (news, documentation, community information, manifestos), static sites are the ideal choice.

Hugo (Go-based) builds sites in milliseconds even for large sites (1000+ pages). Installation: single binary, no runtime dependencies. Site structure: content/ (Markdown files), templates/ (HTML templates), static/ (CSS/JS/images), config.toml (configuration). Build: hugo (outputs to public/ directory). Deploy: rsync -avz public/ user@server:/var/www/hidden-site/ via Tor (scp through SOCKS5 proxy). Hugo's speed makes automated rebuild-and-deploy practical (cron + git pull + hugo + rsync). Hugo themes: many available, most require clearnet resource removal (CDN-hosted fonts, analytics scripts) for hidden service compatibility.

Next.js (React-based) supports static export: next build && next export produces a fully static out/ directory. Configuration in next.config.js: module.exports = { output: 'export', assetPrefix: '' } (relative asset paths for .onion serving). Next.js static export does not support: Server-Side Rendering (SSR), API routes, Image Optimization requiring server (use custom image sizes or self-hosted image optimization). For sites requiring these features, consider running Next.js server on the hidden service (same as other Node.js deployments). Static export limitations: if the site needs dynamic content (search, user accounts), static export is insufficient and a full server deployment is needed.

Nginx serves static files efficiently. Configuration: root /var/www/hidden-site; index index.html; location / { try_files $uri $uri/ $uri.html =404; } (handles paths without .html extensions). Caching headers for static files: location ~* \.(css|js|png|jpg|gif|ico|woff2)$ { expires 1y; add_header Cache-Control 'public, immutable'; } (aggressive caching for versioned assets). Compression: gzip on; gzip_types text/html text/css application/javascript; (reduces transfer size). Security headers: add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY. Tor serves this static site without any server-side processing.

Automated rebuild and deploy workflow: (1) Content update (new Markdown file created), (2) Git commit and push to a private repository, (3) Deployment script: pull from git repository, run hugo build or npm run build, rsync built files to hidden service server via SSH over Tor (ssh -o ProxyCommand='nc -x 127.0.0.1:9050 %h %p' -p PORT user@SERVER_IP rsync ...), (4) Verify deployment: check that new content appears at the .onion address. Automation with cron: check git repository every hour for changes, rebuild and deploy if changes detected. This workflow allows multiple authors to contribute content through git pull requests without direct server access.