HTTP Strict Transport Security not enabled on Horizon Dashboard ---- ### Summary ### Cloud operators using Horizon for production or internet facing operations should strongly consider configuring HSTS for their deployment
### Affected Services / Software ### Horizon, SSL, TLS, Apache, Nginx ### Discussion ### HTTP Strict Transport Security (HSTS) enforces that all communications with a server go over SSL. This mitigates the threat from attacks such as SSL-Strip which replaces links on the wire, stripping away https prefixes and potentially allowing an attacker to view confidential information on the wire. HSTS can be enabled in Apache and Nginx, the two primary ways of serving Horizon at scale. ### Recommended Actions ### Apache Configuration: ------------------------- Add this to the relevant vhost: Header add Strict-Transport-Security "max-age=15768000" We suggest also using mod_rewrite to ensure all visitors to Horizon land on a secure page Add this into your main configuration file <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> Nginx Configuration: ------------------------ add_header Strict-Transport-Security max-age=15768000; As always, test these configuration settings before deploying them to production in order to catch any bugs etc. ### Contacts / References ### This OSSN : https://bugs.launchpad.net/ossn/+bug/1191050 Documentation Bug : https://bugs.launchpad.net/openstack-manuals/+bug/1210409 OpenStack Security ML : openstack-security at lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack