Content-Security-Policy for services

Bug #1717321 reported by Matthew Thode on 2017-09-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Wishlist
Unassigned

Bug Description

Taken from https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

For OSA this would be adding a line like this to the web server config.

HORIZON (nginx): add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; child-src 'self' https://example.com:6080;";

Other services are much more simple:

NOVA-PLACEMENT: add_header Content-Security-Policy "default-src 'self' https: wss:;";

The problem with setting these up is that it takes trail and error, the upstream projects (even horizon) don't have this info.

Some other headers that may be useful follow

add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

for ssl something like the following for HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
and maybe pin the cert?
add_header Public-Key-Pins 'pin-sha256="SHA_GOES_HERE"; max-age=2592000; includeSubDomains';

Other than that some other good settings for nginx follow

to not have dns get mitm'd
resolver 1.2.3.4;
resolver_timeout 5s;

for OSCP stapling (needs a real cert with all intermediaries/root)
ssl_stapling on;
ssl_stapling_verify on;

Matthew Thode (prometheanfire) wrote :

oh ya, generate your own dhparam...

ssl_dhparam /etc/nginx/params.4096;

there's a bunch of ssl things that can be done really.

    ssl_trusted_certificate foo.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA256:ECDHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

not sure if this should be split out or all be considered nginx config security updates

see also our bug triage conversation about the impact and the decision on how to fix it.
We need someone with cycles to fix it.

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Wishlist
Matthew Thode (prometheanfire) wrote :

OK, current plan, ssl settings can be done in another bug or something

add the following headers statically to all roles (particular location depends on what the role uses as a web server/proxy). It could go into haproxy, apache or nginx configs, depending on the role/subproject. Particular header content will differ only for the content security policy and even then, only really for horizon. the XSS and Content-Type-Options header will be the same for all requests (haven't seen them ever break something).

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self' https: wss:;";

The following header will be defaulted to on but will be able to be disabled for those that want to embed the something within an iframe. ONLY horizon will be able to disable it as it is the only service that is iframe-embedable.

add_header X-Frame-Options DENY;

For horizon, the CSP header value that allows the web console to work requires us to know the value of the web console domain/ip/url (see the example.com part below).

add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; child-src 'self' https://example.com:6080;";

For nginx configs we can set something like the following to ensure DNS uses a trusted source, not sure if this will require a new var or if one exists. I'll look for comparable values for apache and haproxy.

resolver 1.2.3.4;
resolver_timeout 5s;

Matthew Thode (prometheanfire) wrote :

dns setup isn't needed, so the last stanza (resovler) is not needed.

If your config file has static DNS names (not generated), and you are not care about track IP changes without nginx reload, you don't need nginx's resolver. In this case all DNS names will be resolved on startup.

Fix proposed to branch: master
Review: https://review.openstack.org/507189

Changed in openstack-ansible:
assignee: nobody → Matthew Thode (prometheanfire)
status: Confirmed → In Progress
Changed in openstack-ansible:
assignee: Matthew Thode (prometheanfire) → Kevin Carter (kevin-carter)
Changed in openstack-ansible:
assignee: Kevin Carter (kevin-carter) → Matthew Thode (prometheanfire)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/513973

Changed in openstack-ansible:
assignee: Matthew Thode (prometheanfire) → Kevin Carter (kevin-carter)

Reviewed: https://review.openstack.org/507189
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=81a28142a065e07f16756b1bc4cfb68a98e0a2e9
Submitter: Zuul
Branch: master

commit 81a28142a065e07f16756b1bc4cfb68a98e0a2e9
Author: Matthew Thode <email address hidden>
Date: Mon Sep 25 11:08:21 2017 -0500

    Add security headers to web accessable services.

    Adds the following headers as static:

        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        append Content-Security-Policy "default-src 'self' https: wss:;"

    nosniff prevents non-executable mime times from becoming executable.
    The X-XSS-Protection header will prevent the loading of a page if the
    browser detects an xss attack. The Content-Security-Policy declares
    what dynamic resources are allowed to load.

    Adds the following header as user-setable via the
    keystone_x_frame_options variable.

        X-Frame-Options "DENY"

    By default the X-Frame-Options header denies embedding in an iframe.

    Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1
    Partial-Bug: 1717321

Reviewed: https://review.openstack.org/513973
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=bb64d2bd4309b1e538f88725b29dde659d3ecd2b
Submitter: Zuul
Branch: stable/pike

commit bb64d2bd4309b1e538f88725b29dde659d3ecd2b
Author: Matthew Thode <email address hidden>
Date: Mon Sep 25 11:08:21 2017 -0500

    Add security headers to web accessable services.

    Adds the following headers as static:

        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        append Content-Security-Policy "default-src 'self' https: wss:;"

    nosniff prevents non-executable mime times from becoming executable.
    The X-XSS-Protection header will prevent the loading of a page if the
    browser detects an xss attack. The Content-Security-Policy declares
    what dynamic resources are allowed to load.

    Adds the following header as user-setable via the
    keystone_x_frame_options variable.

        X-Frame-Options "DENY"

    By default the X-Frame-Options header denies embedding in an iframe.

    Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1
    Partial-Bug: 1717321
    (cherry picked from commit 81a28142a065e07f16756b1bc4cfb68a98e0a2e9)

tags: added: in-stable-pike

Change abandoned by Kevin Carter (cloudnull) (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/513974

Changed in openstack-ansible:
assignee: Kevin Carter (kevin-carter) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers