openstack
/
charm-openstack-dashboard
Code Issues Proposed changes

Enable security related headers when SSL is enabled 

Horizon can be setup in a more secure way. Enable more headers:
 - X-XSS-Protection "1; mode=block"
 - X-Content-Type-Options "nosniff"
 - CSRF_COOKIE_SECURE, SESSION_COOKIE_SECURE in Django

Change-Id: I84605bd7e00df64da522b805b4e9a88521d1e0f6
Partial-Bug: #1713202
This commit is contained in:
Nobuto Murata 2017-08-26 20:12:43 +07:00
parent f68514cb9a
commit 47396b52de
8 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hooks/horizon_utils.py
View File

@ -132,7 +132,8 @@ CONFIG_FILES = OrderedDict([
'hook_contexts': [horizon_contexts.HorizonContext(),
horizon_contexts.IdentityServiceContext(),
context.SyslogContext(),
horizon_contexts.LocalSettingsContext()],
horizon_contexts.LocalSettingsContext(),
horizon_contexts.ApacheSSLContext()],
'services': ['apache2', 'memcached']
}),
(APACHE_CONF, {
@ -264,6 +265,7 @@ def enable_ssl():
subprocess.call(['a2ensite', 'default-ssl'])
subprocess.call(['a2enmod', 'ssl'])
subprocess.call(['a2enmod', 'rewrite'])
subprocess.call(['a2enmod', 'headers'])
def determine_packages():

6
templates/default-ssl
View File

@ -31,12 +31,14 @@
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
{% if ssl_configured %}
SSLCertificateFile {{ ssl_cert }}
SSLCertificateKeyFile {{ ssl_key }}
SSLCertificateFile {{ ssl_cert }}
SSLCertificateKeyFile {{ ssl_key }}
{% else %}
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
{% endif %}
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

5
templates/icehouse/local_settings.py
View File

@ -28,6 +28,11 @@ TEMPLATE_DEBUG = DEBUG
# settings to better secure the cookies from security exploits
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
{% if ssl_configured %}
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
{% endif %}
# Overrides for OpenStack API versions. Use this setting to force the
# OpenStack dashboard to use a specfic API version for a given service API.

5
templates/liberty/local_settings.py
View File

@ -46,6 +46,11 @@ WEBROOT = '/'
# settings to better secure the cookies from security exploits
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
{% if ssl_configured %}
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
{% endif %}
# Overrides for OpenStack API versions. Use this setting to force the
# OpenStack dashboard to use a specific API version for a given service API.

5
templates/mitaka/local_settings.py
View File

@ -45,6 +45,11 @@ WEBROOT = '/'
# settings to better secure the cookies from security exploits
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
{% if ssl_configured %}
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
{% endif %}
# The absolute path to the directory where message files are collected.
# The message file must have a .json file extension. When the user logins to

5
templates/newton/local_settings.py
View File

@ -45,6 +45,11 @@ WEBROOT = '/'
# settings to better secure the cookies from security exploits
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
{% if ssl_configured %}
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
{% endif %}
# The absolute path to the directory where message files are collected.
# The message file must have a .json file extension. When the user logins to

5
templates/ocata/local_settings.py
View File

@ -45,6 +45,11 @@ WEBROOT = '/'
# settings to better secure the cookies from security exploits
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
{% if ssl_configured %}
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
{% endif %}
# The absolute path to the directory where message files are collected.
# The message file must have a .json file extension. When the user logins to

3
unit_tests/test_horizon_utils.py
View File

@ -81,7 +81,8 @@ class TestHorizohorizon_utils(CharmTestCase):
_call.assert_has_calls([
call(['a2ensite', 'default-ssl']),
call(['a2enmod', 'ssl']),
call(['a2enmod', 'rewrite'])
call(['a2enmod', 'rewrite']),
call(['a2enmod', 'headers'])
])
def test_restart_map(self):