[Openstack-security] [OSSN][DRAFT] HTTP Strict Transport Security not enabled on Horizon Dashboard

Clark, Robert Graham robert.clark at hp.com
Wed Aug 7 15:16:26 UTC 2013


[DRAFT] - Please 
HTTP Strict Transport Security not enabled on Horizon Dashboard
----

### Summary ###
 Deployers using Horizon for production or internet facing operations
should strongly consider configuring HSTS for their deployment

### Affected Services / Software ###
Horizon, SSL, TLS, Apache, Nginx

### Discussion ###
HTTP Strict Transport Security (HSTS) enforces that all communications
with a server go over SSL. This mitigates the threat from attacks such
as SSL-Strip which replaces links on the wire, stripping away https
prefixes and potentially allowing an attacker to view confidential
information on the wire.

HSTS can be enabled in Apache and Nginx, the two primary ways of serving
Horizon at scale

### Recommended Actions ###
Apache Configuration:
-------------------------
Add this to the relevant vhost entry in your apache configuration:
Header add Strict-Transport-Security "max-age=15768000"

We suggest also using mod_rewrite to ensure all visitors to Horizon land
on a secure page, add this into your main configuration file:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>

Nginx Configuration:
------------------------
add_header Strict-Transport-Security max-age=15768000;

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1191050
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130807/1067aba8/attachment.bin>


More information about the Openstack-security mailing list