** Changed in: openstack-manuals
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1118194
Title:
Security Documentation for Horizon
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in OpenStack Manuals:
Fix Released
Bug description:
Horizon's documentation doesn't contain much in terms of guidelines
for securing a deployment.
The following should be documented somewhere:
When implementing Horizon for public usage, with the website served
through HTTPS, the following recommendations apply.
In the Apache global configuration ensure that the following directive
is configured to prevent the server from sharing its name, version and
any other information that could be used for an attack:
ServerSignature Off
In the Apache global configuration ensure that the following directive
is configured to prevent cross-site tracing [1]:
TraceEnable Off
In the Apache virtual host configuration:
1) Ensure that the "Indexes" option is not included in the Options directive.
2) Protect the server from BEAST attacks [2] by implementing the following
options:
SSLHonorCipherOrder on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES
In local_settings.py, implement the following settings in order to
help protect the cookies from cross-site scripting [3]:
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
Note that the CSRF_COOKIE_SECURE option is only available from Django
1.4 and will therefore not work for most packaged Essex deployments.
Also, since a recent patch [4], you can disable browser autocompletion
[5] for the authentication form by changing the
'password_autocomplete' attribute to 'off' in horizon/conf/default.py.
[1] http://www.kb.cert.org/vuls/id/867593
[2] http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
[3] https://www.owasp.org/index.php/HttpOnly
[4] https://review.openstack.org/21349
[5]
https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1118194/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
