[Openstack-security] [Bug 1210409] Re: Horizon Dashboard Installation documentation should use secure defaults
Tom Fifield
1210409 at bugs.launchpad.net
Fri Aug 9 23:41:53 UTC 2013
** Changed in: openstack-manuals
Status: New => Triaged
** Tags added: horizon security
** Changed in: openstack-manuals
Importance: Undecided => High
** Changed in: openstack-manuals
Milestone: None => havana
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1210409
Title:
Horizon Dashboard Installation documentation should use secure
defaults
Status in OpenStack Manuals:
Triaged
Bug description:
The documentation for installing Horizon includes a section on
deploying it behind SSL.
A recent OSSN highlighted that if you need to deploy Horizon securely
it really should be configured with HTTP Strict Transport Security
(HSTS) by default. This OSSN demonstrates the configuration but I
don't have a horizon setup to test it against -
https://bugs.launchpad.net/ossn/+bug/1191050
Similarly, there's an OSSN recommending that Horizon issues cookies
with Secure attributes, which would avoid it travelling over HTTP and
protects against a range of attacks:
https://bugs.launchpad.net/ossn/+bug/1191051
As the horizon documentation already has guidance on securing the
connection it should really follow these best practices.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-manuals/+bug/1210409/+subscriptions
More information about the Openstack-security
mailing list