Fix proposed to branch: master Review: https://review.openstack.org/45491 -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1210409 Title: Horizon Dashboard Installation documentation should use secure defaults Status in OpenStack Manuals: In Progress Bug description: The documentation for installing Horizon includes a section on deploying it behind SSL. A recent OSSN highlighted that if you need to deploy Horizon securely it really should be configured with HTTP Strict Transport Security (HSTS) by default. This OSSN demonstrates the configuration but I don't have a horizon setup to test it against - https://bugs.launchpad.net/ossn/+bug/1191050 Similarly, there's an OSSN recommending that Horizon issues cookies with Secure attributes, which would avoid it travelling over HTTP and protects against a range of attacks: https://bugs.launchpad.net/ossn/+bug/1191051 As the horizon documentation already has guidance on securing the connection it should really follow these best practices. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-manuals/+bug/1210409/+subscriptions