yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1118194] Re: Security Documentation for Horizon

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andreas Jaeger <1118194@xxxxxxxxxxxxxxxxxx>
Date: Tue, 09 Sep 2014 18:04:55 -0000
Reply-to: Bug 1118194 <1118194@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: openstack-manuals
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1118194

Title:
  Security Documentation for Horizon

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Manuals:
  Fix Released

Bug description:
  Horizon's documentation doesn't contain much in terms of guidelines
  for securing a deployment.

  The following should be documented somewhere:

  When implementing Horizon for public usage, with the website served
  through HTTPS, the following recommendations apply.

  In the Apache global configuration ensure that the following directive
  is configured to prevent the server from sharing its name, version and
  any other information that could be used for an attack:

  ServerSignature Off

  In the Apache global configuration ensure that the following directive
  is configured to prevent cross-site tracing [1]:

  TraceEnable Off

  In the Apache virtual host configuration:

  1) Ensure that the "Indexes" option is not included in the Options directive.
  2) Protect the server from BEAST attacks [2] by implementing the following options:

    SSLHonorCipherOrder on
    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES

  In local_settings.py, implement the following settings in order to
  help protect the cookies from cross-site scripting [3]:

  CSRF_COOKIE_SECURE = True
  SESSION_COOKIE_SECURE = True
  SESSION_COOKIE_HTTPONLY = True

  Note that the CSRF_COOKIE_SECURE option is only available from Django
  1.4 and will therefore not work for most packaged Essex deployments.

  Also, since a recent patch [4], you can disable browser autocompletion
  [5] for the authentication form by changing the
  'password_autocomplete' attribute to 'off' in horizon/conf/default.py.

  [1] http://www.kb.cert.org/vuls/id/867593
  [2] http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
  [3] https://www.owasp.org/index.php/HttpOnly
  [4] https://review.openstack.org/21349
  [5] https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1118194/+subscriptions