Security Documentation for Horizon
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Undecided
|
Jesse Pretorius | ||
openstack-manuals |
Fix Released
|
Wishlist
|
OpenStack Security SIG |
Bug Description
Horizon's documentation doesn't contain much in terms of guidelines for securing a deployment.
The following should be documented somewhere:
When implementing Horizon for public usage, with the website served through HTTPS, the following recommendations apply.
In the Apache global configuration ensure that the following directive is configured to prevent the server from sharing its name, version and any other information that could be used for an attack:
ServerSignature Off
In the Apache global configuration ensure that the following directive is configured to prevent cross-site tracing [1]:
TraceEnable Off
In the Apache virtual host configuration:
1) Ensure that the "Indexes" option is not included in the Options directive.
2) Protect the server from BEAST attacks [2] by implementing the following options:
SSLHonorCiphe
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite RC4-SHA:
In local_settings.py, implement the following settings in order to help protect the cookies from cross-site scripting [3]:
CSRF_COOKIE_SECURE = True
SESSION_
SESSION_
Note that the CSRF_COOKIE_SECURE option is only available from Django 1.4 and will therefore not work for most packaged Essex deployments.
Also, since a recent patch [4], you can disable browser autocompletion [5] for the authentication form by changing the 'password_
[1] http://
[2] http://
[3] https:/
[4] https:/
[5] https:/
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in horizon: | |
assignee: | nobody → Jesse Pretorius (jesse-pretorius) |
Changed in openstack-manuals: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in horizon: | |
milestone: | none → grizzly-3 |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | grizzly-3 → 2013.1 |
Changed in openstack-manuals: | |
importance: | Medium → Wishlist |
tags: | added: sec-guide |
Changed in openstack-manuals: | |
assignee: | nobody → OpenStack Security Group (openstack-ossg) |
Changed in openstack-manuals: | |
status: | Confirmed → Fix Released |
Fix proposed to branch: master /review. openstack. org/21868
Review: https:/