Merge "Add django-debreach to horizon"

lower-constraints.txt

@@ -19,6 +19,7 @@ Django==1.11
 django-appconf==1.0.2
 django-babel==0.6.2
 django-compressor==2.0
+django-debreach==1.4.2
 django-pyscss==2.0.2
 doc8==0.6.0
 docutils==0.11

openstack_dashboard/settings.py

@@ -110,6 +110,7 @@ OPENSTACK_IMAGE_BACKEND = {
 }
 
 MIDDLEWARE = (
+    'debreach.middleware.RandomCommentMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
@@ -184,6 +185,7 @@ INSTALLED_APPS = [
     'django.contrib.staticfiles',
     'django.contrib.humanize',
     'django_pyscss',
+    'debreach',
     'openstack_dashboard.django_pyscss_fix',
     'compressor',
     'horizon',

releasenotes/notes/bp-mitigate-breach-attacks-dd54b705e22363b0.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    [:blueprint:`mitigate-breach-attacks`]
+    Adding Django-debreach module to mitigate breach attacks. Enabling
+    the RandomCommentMiddleware to counter breach attack by randomising
+    the content length of each response.

requirements.txt

@@ -14,6 +14,7 @@ Django<2,>=1.11;python_version<'3.0'  # BSD
 Django<2.1,>=1.11;python_version>='3.0'  # BSD
 django-babel>=0.6.2 # BSD
 django-compressor>=2.0 # MIT
+django-debreach>=1.4.2 # BSD License (2 clause)
 django-pyscss>=2.0.2 # BSD License (2 clause)
 futurist>=1.2.0 # Apache-2.0
 iso8601>=0.1.11 # MIT