[Openstack-security] [Bug 1210409] Re: Horizon Dashboard Installation documentation should use secure defaults

Tom Fifield 1210409 at bugs.launchpad.net
Fri Aug 9 23:41:53 UTC 2013


** Changed in: openstack-manuals
       Status: New => Triaged

** Tags added: horizon security

** Changed in: openstack-manuals
   Importance: Undecided => High

** Changed in: openstack-manuals
    Milestone: None => havana

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1210409

Title:
  Horizon Dashboard Installation documentation should use secure
  defaults

Status in OpenStack Manuals:
  Triaged

Bug description:
  The documentation for installing Horizon includes a section on
  deploying it behind SSL.

  A recent OSSN highlighted that if you need to deploy Horizon securely
  it really should be configured with HTTP Strict Transport Security
  (HSTS) by default. This OSSN demonstrates the configuration but I
  don't have a horizon setup to test it against -
  https://bugs.launchpad.net/ossn/+bug/1191050

  Similarly, there's an OSSN recommending that Horizon issues cookies
  with Secure attributes, which would avoid it travelling over HTTP and
  protects against a range of attacks:
  https://bugs.launchpad.net/ossn/+bug/1191051

  As the horizon documentation already has guidance on securing the
  connection it should really follow these best practices.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-manuals/+bug/1210409/+subscriptions




More information about the Openstack-security mailing list