[Openstack-security] [Bug 1210409] Re: Horizon Dashboard Installation documentation should use secure defaults

OpenStack Infra 1210409 at bugs.launchpad.net
Sun Sep 8 22:13:16 UTC 2013 

Reviewed:  https://review.openstack.org/45491
Committed: http://github.com/openstack/openstack-manuals/commit/d5bcc13a00869723e86973a26c67c8de92d79c6a
Submitter: Jenkins
Branch:    master

commit d5bcc13a00869723e86973a26c67c8de92d79c6a
Author: Jon Proulx <jon at jonproulx.com>
Date:   Fri Sep 6 16:25:50 2013 -0400

    Add HSTS and cookie security to dashboard example config
    
    Adds reccomended settings from
    https://bugs.launchpad.net/ossn/+bug/1191050
    https://bugs.launchpad.net/ossn/+bug/1191051
    http://docs.openstack.org/developer/horizon/topics/deployment.html#secure-site-recommendations
    to the configuration instructions for HTTPS
    
    Also includes some gramatical and formating fixes
    
    Affects install guides, compute admin guide, and configuration guide
    
    Note the content is in two nearly identical locations
    https://bugs.launchpad.net/openstack-manuals/+bug/1222006
    has been opened for the organizational bug.
    This fixes the content of both locations identically.
    
    Change-Id: I1b41b3bee0d884ca3d29a1f2667e5b55070131cb
    Closes-Bug: #1210409


** Changed in: openstack-manuals
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1210409

Title:
  Horizon Dashboard Installation documentation should use secure
  defaults

Status in OpenStack Manuals:
  Fix Released

Bug description:
  The documentation for installing Horizon includes a section on
  deploying it behind SSL.

  A recent OSSN highlighted that if you need to deploy Horizon securely
  it really should be configured with HTTP Strict Transport Security
  (HSTS) by default. This OSSN demonstrates the configuration but I
  don't have a horizon setup to test it against -
  https://bugs.launchpad.net/ossn/+bug/1191050

  Similarly, there's an OSSN recommending that Horizon issues cookies
  with Secure attributes, which would avoid it travelling over HTTP and
  protects against a range of attacks:
  https://bugs.launchpad.net/ossn/+bug/1191051

  As the horizon documentation already has guidance on securing the
  connection it should really follow these best practices.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-manuals/+bug/1210409/+subscriptions

More information about the Openstack-security mailing list