[Openstack-security] [Bug 1597557] Re: getting CSRF token missing or incorrect. /api/nova/servers/ when CSRF_COOKIE_HTTPONLY=True
Radomir Dopieralski
1597557 at bugs.launchpad.net
Wed Dec 18 10:15:03 UTC 2019
Enabling CSRF_COOKIE_HTTPONLY = True doesn't give any protection, see
https://docs.djangoproject.com/en/3.0/ref/settings/#csrf-cookie-httponly
** Changed in: horizon
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1597557
Title:
getting CSRF token missing or incorrect. /api/nova/servers/ when
CSRF_COOKIE_HTTPONLY=True
Status in OpenStack Dashboard (Horizon):
Invalid
Bug description:
Using stable/mitkaka if I set CSRF_COOKIE_HTTPONLY=True in
local_settings.py, when i try to launch an instance i get
Forbidden (CSRF token missing or incorrect.): /api/nova/servers/
If i set it to false (or don't set it) then it works fine.
This is what does not work
# If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
# prevent certain client-side attacks, such as cross-site scripting
CSRF_COOKIE_HTTPONLY = True
SESSION_COOKIE_HTTPONLY = True
this is what does work
# If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
# prevent certain client-side attacks, such as cross-site scripting
CSRF_COOKIE_HTTPONLY = False
SESSION_COOKIE_HTTPONLY = True
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1597557/+subscriptions
More information about the Openstack-security
mailing list