Enable security related headers when SSL is enabled
Horizon can be setup in a more secure way. Enable more headers: - X-XSS-Protection "1; mode=block" - X-Content-Type-Options "nosniff" - CSRF_COOKIE_SECURE, SESSION_COOKIE_SECURE in Django Change-Id: I84605bd7e00df64da522b805b4e9a88521d1e0f6 Partial-Bug: #1713202
This commit is contained in:
parent
f68514cb9a
commit
47396b52de
|
@ -132,7 +132,8 @@ CONFIG_FILES = OrderedDict([
|
|||
'hook_contexts': [horizon_contexts.HorizonContext(),
|
||||
horizon_contexts.IdentityServiceContext(),
|
||||
context.SyslogContext(),
|
||||
horizon_contexts.LocalSettingsContext()],
|
||||
horizon_contexts.LocalSettingsContext(),
|
||||
horizon_contexts.ApacheSSLContext()],
|
||||
'services': ['apache2', 'memcached']
|
||||
}),
|
||||
(APACHE_CONF, {
|
||||
|
@ -264,6 +265,7 @@ def enable_ssl():
|
|||
subprocess.call(['a2ensite', 'default-ssl'])
|
||||
subprocess.call(['a2enmod', 'ssl'])
|
||||
subprocess.call(['a2enmod', 'rewrite'])
|
||||
subprocess.call(['a2enmod', 'headers'])
|
||||
|
||||
|
||||
def determine_packages():
|
||||
|
|
|
@ -31,12 +31,14 @@
|
|||
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
|
||||
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
|
||||
{% if ssl_configured %}
|
||||
SSLCertificateFile {{ ssl_cert }}
|
||||
SSLCertificateKeyFile {{ ssl_key }}
|
||||
SSLCertificateFile {{ ssl_cert }}
|
||||
SSLCertificateKeyFile {{ ssl_key }}
|
||||
{% else %}
|
||||
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
{% endif %}
|
||||
Header set X-XSS-Protection "1; mode=block"
|
||||
Header set X-Content-Type-Options "nosniff"
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
|
|
|
@ -28,6 +28,11 @@ TEMPLATE_DEBUG = DEBUG
|
|||
# settings to better secure the cookies from security exploits
|
||||
#CSRF_COOKIE_SECURE = True
|
||||
#SESSION_COOKIE_SECURE = True
|
||||
{% if ssl_configured %}
|
||||
CSRF_COOKIE_SECURE = True
|
||||
SESSION_COOKIE_SECURE = True
|
||||
{% endif %}
|
||||
|
||||
|
||||
# Overrides for OpenStack API versions. Use this setting to force the
|
||||
# OpenStack dashboard to use a specfic API version for a given service API.
|
||||
|
|
|
@ -46,6 +46,11 @@ WEBROOT = '/'
|
|||
# settings to better secure the cookies from security exploits
|
||||
#CSRF_COOKIE_SECURE = True
|
||||
#SESSION_COOKIE_SECURE = True
|
||||
{% if ssl_configured %}
|
||||
CSRF_COOKIE_SECURE = True
|
||||
SESSION_COOKIE_SECURE = True
|
||||
{% endif %}
|
||||
|
||||
|
||||
# Overrides for OpenStack API versions. Use this setting to force the
|
||||
# OpenStack dashboard to use a specific API version for a given service API.
|
||||
|
|
|
@ -45,6 +45,11 @@ WEBROOT = '/'
|
|||
# settings to better secure the cookies from security exploits
|
||||
#CSRF_COOKIE_SECURE = True
|
||||
#SESSION_COOKIE_SECURE = True
|
||||
{% if ssl_configured %}
|
||||
CSRF_COOKIE_SECURE = True
|
||||
SESSION_COOKIE_SECURE = True
|
||||
{% endif %}
|
||||
|
||||
|
||||
# The absolute path to the directory where message files are collected.
|
||||
# The message file must have a .json file extension. When the user logins to
|
||||
|
|
|
@ -45,6 +45,11 @@ WEBROOT = '/'
|
|||
# settings to better secure the cookies from security exploits
|
||||
#CSRF_COOKIE_SECURE = True
|
||||
#SESSION_COOKIE_SECURE = True
|
||||
{% if ssl_configured %}
|
||||
CSRF_COOKIE_SECURE = True
|
||||
SESSION_COOKIE_SECURE = True
|
||||
{% endif %}
|
||||
|
||||
|
||||
# The absolute path to the directory where message files are collected.
|
||||
# The message file must have a .json file extension. When the user logins to
|
||||
|
|
|
@ -45,6 +45,11 @@ WEBROOT = '/'
|
|||
# settings to better secure the cookies from security exploits
|
||||
#CSRF_COOKIE_SECURE = True
|
||||
#SESSION_COOKIE_SECURE = True
|
||||
{% if ssl_configured %}
|
||||
CSRF_COOKIE_SECURE = True
|
||||
SESSION_COOKIE_SECURE = True
|
||||
{% endif %}
|
||||
|
||||
|
||||
# The absolute path to the directory where message files are collected.
|
||||
# The message file must have a .json file extension. When the user logins to
|
||||
|
|
|
@ -81,7 +81,8 @@ class TestHorizohorizon_utils(CharmTestCase):
|
|||
_call.assert_has_calls([
|
||||
call(['a2ensite', 'default-ssl']),
|
||||
call(['a2enmod', 'ssl']),
|
||||
call(['a2enmod', 'rewrite'])
|
||||
call(['a2enmod', 'rewrite']),
|
||||
call(['a2enmod', 'headers'])
|
||||
])
|
||||
|
||||
def test_restart_map(self):
|
||||
|
|
Loading…
Reference in New Issue