Would make a great "recommended Django deploy options for Horizon" OSSN
together with bug 1191050
** Information type changed from Private Security to Public
** Also affects: ossn
Importance: Undecided
Status: New
** No longer affects: ossa
** Changed in: horizon
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1191051
Title:
Horizon does not set Secure Attribute in cookies
Status in OpenStack Dashboard (Horizon):
Invalid
Status in OpenStack Security Notes:
New
Bug description:
Version: 2012.2
The cookies used by Horizon do not have the Secure Attribute set, which
allows them to be sent over unencrypted requests. This could result in stolen
sessions, as it is trivial to force the browser to make unencrypted requests.
For more information see
https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1191051/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
