openstack
/
charm-openstack-dashboard
Code Issues Proposed changes

apache2: add secure flag header when enforce_ssl 

The Secure attribute tells the browser to only send the cookie if the
request is being sent over a secure channel such as HTTPS. This will
help protect the cookie from being passed over unencrypted requests.

Change-Id: I1ded951d79ad9fa832d1e88f656a1e064b1ef007
Closes-bug: #1822751
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
This commit is contained in:
Sahid Orentino Ferdjaoui 2019-04-02 12:14:23 +02:00 committed by sahid
parent 115790bac6
commit 101098a1c2
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
templates/default-ssl
View File

@ -44,6 +44,7 @@ NameVirtualHost *:{{ 443 }}
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
{% if enforce_ssl %}
Header set Strict-Transport-Security "max-age={{ hsts_max_age_seconds }}"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
{% endif %}
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"