security/safety enhancement based on OpenStack Security Guide / observatory.mozilla.org
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
Fix Released
|
Medium
|
Nobuto Murata |
Bug Description
Our charm deployed dashboard has A- grade (green) in https:/
Additional checks in https:/
====
What is needed:
- CSP may depend on Horizon upstream:
https:/
- Set X-XSS-Protection "1; mode=block" in Apache or SECURE_
- Set X-Content-
- Set Strict-
- Set CSRF_COOKIE_SECURE and SESSION_
====
(-NN) scores show areas for improvements.
Test Pass Score Explanation
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Cookies -20 Cookies set without using the Secure flag or set over http
Cross-origin Resource Sharing 0 Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning 0 HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport Security -20 HTTP Strict Transport Security (HSTS) header not implemented
Redirection 0 Initial redirection is to https on same host, final destination is https
Referrer Policy 0 Referrer-Policy header not implemented (optional)
Subresource Integrity 0 Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin
X-Content-
X-Frame-Options 0 X-Frame-Options (XFO) header set to SAMEORIGIN or DENY
X-XSS-Protection -10 X-XSS-Protection header not implemented
summary: |
- security/safety enhancement based on observatory.mozilla.org + security/safety enhancement based on OpenStack Security Guide / + observatory.mozilla.org |
description: | updated |
Changed in charm-openstack-dashboard: | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: cpe-onsite |
Changed in charm-openstack-dashboard: | |
status: | Triaged → In Progress |
assignee: | nobody → Nobuto Murata (nobuto) |
Changed in charm-openstack-dashboard: | |
milestone: | none → 17.11 |
Changed in charm-openstack-dashboard: | |
status: | Fix Committed → Fix Released |
https:/ /docs.openstack .org/security- guide/dashboard /https- hsts-xss- ssrf.html