2017-08-26 06:40:05 |
Nobuto Murata |
bug |
|
|
added bug |
2017-08-26 06:42:59 |
Nobuto Murata |
attachment added |
|
observatory.mozilla.org.png https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1713202/+attachment/4939059/+files/observatory.mozilla.org.png |
|
2017-08-26 07:06:20 |
Nobuto Murata |
summary |
security/safety enhancement based on observatory.mozilla.org |
security/safety enhancement based on OpenStack Security Guide / observatory.mozilla.org |
|
2017-08-26 10:15:53 |
Nobuto Murata |
description |
Our charm deployed dashboard has A- grade (green) in https://www.ssllabs.com/ssltest/ which is ok considering supporting some old clients.
Additional checks in https://observatory.mozilla.org shows spaces for improvement below. Would be nice to have more security/safety features support.
(-NN) scores show areas for improvements.
Test Pass Score Explanation
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Cookies -20 Cookies set without using the Secure flag or set over http
Cross-origin Resource Sharing 0 Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning 0 HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport Security -20 HTTP Strict Transport Security (HSTS) header not implemented
Redirection 0 Initial redirection is to https on same host, final destination is https
Referrer Policy 0 Referrer-Policy header not implemented (optional)
Subresource Integrity 0 Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin
X-Content-Type-Options -5 X-Content-Type-Options header not implemented
X-Frame-Options 0 X-Frame-Options (XFO) header set to SAMEORIGIN or DENY
X-XSS-Protection -10 X-XSS-Protection header not implemented |
Our charm deployed dashboard has A- grade (green) in https://www.ssllabs.com/ssltest/ which is ok considering supporting some old clients.
Additional checks in https://observatory.mozilla.org shows spaces for improvement below. Would be nice to have more security/safety features support.
====
What is needed:
- CSP may depend on Horizon upstream:
https://bugs.launchpad.net/horizon/+bug/1618024
- Set X-XSS-Protection "1; mode=block" in Apache or SECURE_BROWSER_XSS_FILTER in Django
- Set X-Content-Type-Options "nosniff" in Apache or SECURE_CONTENT_TYPE_NOSNIFF in Django
- Set Strict-Transport-Security "max-age=15768000" in Apache or SECURE_HSTS_SECONDS in Django only when enforce-ssl is set in charm config
- Set CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE in Django when SSL is configured
====
(-NN) scores show areas for improvements.
Test Pass Score Explanation
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Cookies -20 Cookies set without using the Secure flag or set over http
Cross-origin Resource Sharing 0 Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning 0 HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport Security -20 HTTP Strict Transport Security (HSTS) header not implemented
Redirection 0 Initial redirection is to https on same host, final destination is https
Referrer Policy 0 Referrer-Policy header not implemented (optional)
Subresource Integrity 0 Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin
X-Content-Type-Options -5 X-Content-Type-Options header not implemented
X-Frame-Options 0 X-Frame-Options (XFO) header set to SAMEORIGIN or DENY
X-XSS-Protection -10 X-XSS-Protection header not implemented |
|
2017-08-31 20:26:39 |
Corey Bryant |
charm-openstack-dashboard: status |
New |
Triaged |
|
2017-08-31 20:27:02 |
Corey Bryant |
charm-openstack-dashboard: importance |
Undecided |
Medium |
|
2017-09-19 14:47:50 |
Chris Gregan |
tags |
|
cpe-onsite |
|
2017-09-27 16:35:49 |
Nobuto Murata |
charm-openstack-dashboard: status |
Triaged |
In Progress |
|
2017-09-27 16:35:51 |
Nobuto Murata |
charm-openstack-dashboard: assignee |
|
Nobuto Murata (nobuto) |
|
2017-10-09 17:35:10 |
Edward Hope-Morley |
charm-openstack-dashboard: milestone |
|
17.11 |
|
2017-10-25 01:02:44 |
Nobuto Murata |
charm-openstack-dashboard: status |
In Progress |
Fix Committed |
|
2017-12-01 06:57:06 |
James Page |
charm-openstack-dashboard: status |
Fix Committed |
Fix Released |
|