Set the password_autocomplete default to "off"

It's safer to set the autocomplete option to "off" for passwords so that browsers get the hint to not save it. The default should be secure so that deployers need to make a conscious decision to be less-secure. This is for security hardening. SecurityImpact Closes-Bug: 1420863 Change-Id: If2c3439cf23b11dd7829a4d7866d3b21409a7d69
2015-02-11 10:38:58 -06:00 · 2015-02-11 10:38:58 -06:00 · 7bd87acdd0
parent 8c819a87b6
commit 7bd87acdd0
2 changed files with 2 additions and 2 deletions
--- a/doc/source/topics/settings.rst
+++ b/doc/source/topics/settings.rst
@ -212,7 +212,7 @@ requires them.

 .. versionadded:: 2013.1(Grizzly)

-Default: ``"on"``
+Default: ``"off"``

 Controls whether browser autocompletion should be enabled on the login form.
 Valid values are ``"on"`` and ``"off"``.
--- a/horizon/conf/default.py
+++ b/horizon/conf/default.py
@ -40,7 +40,7 @@ HORIZON_CONFIG = {
    'password_validator': {'regex': '.*',
                           'help_text': _("Password is not accepted")},

-    'password_autocomplete': 'on',
+    'password_autocomplete': 'off',

    # Enable or disable simplified floating IP address management.
    'simple_ip_management': True