[Openstack-security] [Bug 1118194] [NEW] Security Documentation for Horizon

Launchpad Bug Tracker 1118194 at bugs.launchpad.net
Fri Dec 20 07:36:14 UTC 2013 

Tom Fifield (fifieldt) has assigned this bug to you for openstack-manuals:

Horizon's documentation doesn't contain much in terms of guidelines for
securing a deployment.

The following should be documented somewhere:

When implementing Horizon for public usage, with the website served
through HTTPS, the following recommendations apply.

In the Apache global configuration ensure that the following directive
is configured to prevent the server from sharing its name, version and
any other information that could be used for an attack:

ServerSignature Off

In the Apache global configuration ensure that the following directive
is configured to prevent cross-site tracing [1]:

TraceEnable Off

In the Apache virtual host configuration:

1) Ensure that the "Indexes" option is not included in the Options directive.
2) Protect the server from BEAST attacks [2] by implementing the following options:

  SSLHonorCipherOrder on
  SSLProtocol -ALL +SSLv3 +TLSv1
  SSLCipherSuite RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES

In local_settings.py, implement the following settings in order to help
protect the cookies from cross-site scripting [3]:

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True

Note that the CSRF_COOKIE_SECURE option is only available from Django
1.4 and will therefore not work for most packaged Essex deployments.

Also, since a recent patch [4], you can disable browser autocompletion
[5] for the authentication form by changing the 'password_autocomplete'
attribute to 'off' in horizon/conf/default.py.

[1] http://www.kb.cert.org/vuls/id/867593
[2] http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
[3] https://www.owasp.org/index.php/HttpOnly
[4] https://review.openstack.org/21349
[5] https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML

** Affects: horizon
     Importance: Undecided
     Assignee: Jesse Pretorius (jesse-pretorius)
         Status: Fix Released

** Affects: openstack-manuals
     Importance: Wishlist
     Assignee: OpenStack Security Group (openstack-ossg)
         Status: Confirmed


** Tags: sec-guide
-- 
Security Documentation for Horizon
https://bugs.launchpad.net/bugs/1118194
You received this bug notification because you are a member of OpenStack Security Group, which is a bug assignee.

More information about the Openstack-security mailing list