OpenStack Dashboard Charm

security/safety enhancement based on OpenStack Security Guide / observatory.mozilla.org

Bug #1713202 reported by Nobuto Murata on 2017-08-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard Charm	Fix Released	Medium	Nobuto Murata	OpenStack Dashboard Charm 17.11

Bug Description

Our charm deployed dashboard has A- grade (green) in https://www.ssllabs.com/ssltest/ which is ok considering supporting some old clients.

Additional checks in https://observatory.mozilla.org shows spaces for improvement below. Would be nice to have more security/safety features support.

====
What is needed:

- CSP may depend on Horizon upstream:
https://bugs.launchpad.net/horizon/+bug/1618024

- Set X-XSS-Protection "1; mode=block" in Apache or SECURE_BROWSER_XSS_FILTER in Django

- Set X-Content-Type-Options "nosniff" in Apache or SECURE_CONTENT_TYPE_NOSNIFF in Django

- Set Strict-Transport-Security "max-age=15768000" in Apache or SECURE_HSTS_SECONDS in Django only when enforce-ssl is set in charm config

- Set CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE in Django when SSL is configured
====

(-NN) scores show areas for improvements.

Test Pass Score Explanation
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Cookies -20 Cookies set without using the Secure flag or set over http
Cross-origin Resource Sharing 0 Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning 0 HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport Security -20 HTTP Strict Transport Security (HSTS) header not implemented
Redirection 0 Initial redirection is to https on same host, final destination is https
Referrer Policy 0 Referrer-Policy header not implemented (optional)
Subresource Integrity 0 Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin
X-Content-Type-Options -5 X-Content-Type-Options header not implemented
X-Frame-Options 0 X-Frame-Options (XFO) header set to SAMEORIGIN or DENY
X-XSS-Protection -10 X-XSS-Protection header not implemented

See original description

Tags:

Revision history for this message

Nobuto Murata (nobuto) wrote on 2017-08-26:

observatory.mozilla.org.png Edit (155.9 KiB, image/png)

Revision history for this message

Nobuto Murata (nobuto) wrote on 2017-08-26:

https://docs.openstack.org/security-guide/dashboard/https-hsts-xss-ssrf.html

Nobuto Murata (nobuto) on 2017-08-26

summary:

- security/safety enhancement based on observatory.mozilla.org
+ security/safety enhancement based on OpenStack Security Guide /
+ observatory.mozilla.org

Nobuto Murata (nobuto) on 2017-08-26

description:

updated

Revision history for this message

Nobuto Murata (nobuto) wrote on 2017-08-26:

https://review.openstack.org/#/c/498199/

Corey Bryant (corey.bryant) on 2017-08-31

Changed in charm-openstack-dashboard:
status:	New → Triaged
importance:	Undecided → Medium

Chris Gregan (cgregan) on 2017-09-19

tags:

added: cpe-onsite

Nobuto Murata (nobuto) on 2017-09-27

Changed in charm-openstack-dashboard:
status:	Triaged → In Progress
assignee:	nobody → Nobuto Murata (nobuto)

Edward Hope-Morley (hopem) on 2017-10-09

Changed in charm-openstack-dashboard:
milestone:	none → 17.11

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-12: Fix merged to charm-openstack-dashboard (master)

Reviewed: https://review.openstack.org/498199
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=47396b52dea795548a22e71fe8e51a414c7d300d
Submitter: Jenkins
Branch: master

commit 47396b52dea795548a22e71fe8e51a414c7d300d
Author: Nobuto Murata <email address hidden>
Date: Sat Aug 26 20:12:43 2017 +0700

Enable security related headers when SSL is enabled

    Horizon can be setup in a more secure way. Enable more headers:
     - X-XSS-Protection "1; mode=block"
     - X-Content-Type-Options "nosniff"
     - CSRF_COOKIE_SECURE, SESSION_COOKIE_SECURE in Django

Change-Id: I84605bd7e00df64da522b805b4e9a88521d1e0f6
Partial-Bug: #1713202

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-13: Fix proposed to charm-openstack-dashboard (master)

Fix proposed to branch: master
Review: https://review.openstack.org/511898

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-22: Fix merged to charm-openstack-dashboard (master)

Reviewed: https://review.openstack.org/511898
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=1d45c57fd27b1049e5663b6814ded08a52cbf3a4
Submitter: Zuul
Branch: master

commit 1d45c57fd27b1049e5663b6814ded08a52cbf3a4
Author: Nobuto Murata <email address hidden>
Date: Fri Oct 13 10:53:09 2017 -0400

Allow to configure max-age for HSTS(HTTP Strict Transport Security)

    HSTS is helpful to bring more protection to users, but on the other
    hand, it locks down users to use HTTPS only until max-age expires. To
    enable HSTS, admins must enable enforce-ssl option and set non-zero
    value to hsts-max-age-seconds explicitly.

Content Security Policy (CSP) is not enabled this time. Horizon upstream
may need some work: https://bugs.launchpad.net/horizon/+bug/1618024

Change-Id: I7fd774ba9a1c292d51625d6d36a086b2a531ae75
Partial-Bug: #1713202

Revision history for this message

Nobuto Murata (nobuto) wrote on 2017-10-25:

Although Content Security Policy (CSP) is not enabled this time, but I will mark this bug as Fix Committed. Because multiple enhancements have been added into the charm and that's all we can do for the time being.