[Openstack-security] [Bug 1210409] Re: Horizon Dashboard Installation documentation should use secure defaults
Jon Proulx
jon at jonproulx.com
Fri Sep 6 19:51:03 UTC 2013
This should also be included in the Ubuntu install guide
http://docs.openstack.org/grizzly/openstack-compute/install/apt/content
/installing-openstack-dashboard.html
With some luck the examples affected will be the same in both since it's
not really distro specific and will be or can be made to be a single
source included in both locations...
** Changed in: openstack-manuals
Status: Triaged => In Progress
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1210409
Title:
Horizon Dashboard Installation documentation should use secure
defaults
Status in OpenStack Manuals:
In Progress
Bug description:
The documentation for installing Horizon includes a section on
deploying it behind SSL.
A recent OSSN highlighted that if you need to deploy Horizon securely
it really should be configured with HTTP Strict Transport Security
(HSTS) by default. This OSSN demonstrates the configuration but I
don't have a horizon setup to test it against -
https://bugs.launchpad.net/ossn/+bug/1191050
Similarly, there's an OSSN recommending that Horizon issues cookies
with Secure attributes, which would avoid it travelling over HTTP and
protects against a range of attacks:
https://bugs.launchpad.net/ossn/+bug/1191051
As the horizon documentation already has guidance on securing the
connection it should really follow these best practices.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-manuals/+bug/1210409/+subscriptions
More information about the Openstack-security
mailing list