yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

Would make a great "recommended Django deploy options for Horizon" OSSN
together with bug 1191051

** Information type changed from Private Security to Public

** Also affects: ossn
   Importance: Undecided
       Status: New

** No longer affects: ossa

** Changed in: horizon
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1191050

Title:
  HTTP Strict Transport Security not enabled on Horizon Dashboard

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Notes:
  New

Bug description:
  Versions:         2012.2

  The Horizon Dashboard does not enable HTTP Strict Transport
  Security.  As a result, browsers can be tricked into making HTTP
  connections even if all connections to Horizon should be
  protected via TLS.  Therefore, web sessions are susceptible to
  MitM attacks such as cookie/session stealing.

  HTTP Strict Transport Security (HSTS) is a mechanism through which web
  hosts can instruct browsers to only connect over SSL/TLS for future
  connections. It helps prevent Man-in-the-Middle (MitM) attacks that
  attempt to trick victims' browsers into dropping out of SSL/TLS. HSTS
  can also help mitigate other weaknesses such as web applications which
  omit the secure flag when setting session cookies. HSTS is currently
  implemented in Firefox and Chrome, but will ideally be included in
  other popular browsers as well.

  For more information see
  https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1191050/+subscriptions