Security Documentation for Horizon

Horizon's documentation doesn't contain much in terms of guidelines for securing a deployment.

The following should be documented somewhere:

When implementing Horizon for public usage, with the website served through HTTPS, the following recommendations apply.

In the Apache global configuration ensure that the following directive is configured to prevent the server from sharing its name, version and any other information that could be used for an attack:

ServerSignature Off

In the Apache global configuration ensure that the following directive is configured to prevent cross-site tracing [1]:

TraceEnable Off

In the Apache virtual host configuration:

1) Ensure that the "Indexes" option is not included in the Options directive.
2) Protect the server from BEAST attacks [2] by implementing the following options:

  SSLHonorCipherOrder on
  SSLProtocol -ALL +SSLv3 +TLSv1
  SSLCipherSuite RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES

In local_settings.py, implement the following settings in order to help protect the cookies from cross-site scripting [3]:

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True

Note that the CSRF_COOKIE_SECURE option is only available from Django 1.4 and will therefore not work for most packaged Essex deployments.

Also, since a recent patch [4], you can disable browser autocompletion [5] for the authentication form by changing the 'password_autocomplete' attribute to 'off' in horizon/conf/default.py.

[1] http://www.kb.cert.org/vuls/id/867593
[2] http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
[3] https://www.owasp.org/index.php/HttpOnly
[4] https://review.openstack.org/21349
[5] https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML