[Openstack-security] [OSSN][DRAFT] HTTP Strict Transport Security not enabled on Horizon Dashboard

Kurt Seifried kseifried at redhat.com
Wed Aug 7 18:20:47 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/07/2013 09:16 AM, Clark, Robert Graham wrote:
> [DRAFT] - Please HTTP Strict Transport Security not enabled on
> Horizon Dashboard ----
> 
> ### Summary ### Deployers using Horizon for production or internet
> facing operations should strongly consider configuring HSTS for
> their deployment
> 
> ### Affected Services / Software ### Horizon, SSL, TLS, Apache,
> Nginx
> 
> ### Discussion ### HTTP Strict Transport Security (HSTS) enforces
> that all communications with a server go over SSL. This mitigates
> the threat from attacks such as SSL-Strip which replaces links on
> the wire, stripping away https prefixes and potentially allowing an
> attacker to view confidential information on the wire.
> 
> HSTS can be enabled in Apache and Nginx, the two primary ways of
> serving Horizon at scale
> 
> ### Recommended Actions ### Apache Configuration: 
> ------------------------- Add this to the relevant vhost entry in
> your apache configuration: Header add Strict-Transport-Security
> "max-age=15768000"
> 
> We suggest also using mod_rewrite to ensure all visitors to Horizon
> land on a secure page, add this into your main configuration file: 
> <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off 
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule>
> 
> Nginx Configuration: ------------------------ add_header
> Strict-Transport-Security max-age=15768000;
> 
> ### Contacts / References ### This OSSN :
> https://bugs.launchpad.net/ossn/+bug/1191050 OpenStack Security ML
> : openstack-security at lists.openstack.org OpenStack Security
> Group : https://launchpad.net/~openstack-ossg
> 
> 

+1. Also remember that technically speaking by the specification the
HTST header can only be served over HTTPS and not HTTP (they want to
avoid the habit of handing security sensitive headers over insecure
channels which makes sense). Also I use a permanent redirect (301) in
my HTTP->HTTPS rewrite rules in case the browser client doesn't
support HSTS or whatever.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSAo//AAoJEBYNRVNeJnmTAnMP/inEv9Bf3TsRcXqm7jZ/wMOk
uLXmM6hkCM7ft+8oJp3ZW8wsfEIqvBpOBUjmUFTYvlk2rlkIiKE+Tv0w3tLYy1sh
wxEUEpn7J6RvDGBAkUVp5SSy06yn6m2gJv6fc++soiC+7cfKpSo+muJHgyitPKhy
E1HBcXoeuo0wBe7sWxIk7KKxaFc0QvUUm7RM/pq41Bi1By0V76teTl9ZZ5n3ylhu
N9n9o5b50TaqZDNJyJc3jdxZiCbxQAYGi2niIJHX8Saknz0764N2/j6UW1S78Tq0
wohVBHOYBTQmmDxyrQnx761tTQw45QMou40eyT1ZJrE4MnJWduShsazgJpRq4bR+
JXWcMYCfcOZGmAY+cSpoXahSxaL+Ofwdh8V2ZheEpdS+rvLPwW1FY0gbOIws/+KO
M5af+nNwGa1t264DVbOuyijkeYcQU7hA76KDDOHQKC2uw+qTbjzqqN+/GFzSfVlX
BUb1uD2rp5ucYFy5dK2Ii+31ACUGSAmviLVTMd1/471HHkhLLiPFgHCrzQ/YbYKI
iW6QfZOVoL14gM6OHFt/PM8tqAz41Z2m9Y0AuGEuwbxegV2cOXMsW5FUnaDTbhns
QjIljhSUEnVaTjR01JzJgmaK7S5/vHryzIj0c7WHx44WHjP8QoeZZV4wsi3/YfQb
InZgNlX9IMmPENqAlcGU
=NTgR
-----END PGP SIGNATURE-----




More information about the Openstack-security mailing list