Add recommendations for secure deployments

To deployment doc: Adds recommendations to secure cookies from cross site scripting and mentions how to disable browser autocompletion on the authentication form. To local_settings.py.example: Adds commented lines showing the CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE settings and recommending that the lines are uncommented if Horizon is being served through HTTPS. Change-Id: I0e2516c9c16622561a9b7955aa4b9db87a8410ee Fixes: bug #1118194
2013-02-13 13:07:21 +02:00 · 2013-02-13 13:07:21 +02:00 · c70ceb75f2
commit c70ceb75f2
parent 4bd2204809
2 changed files with 27 additions and 0 deletions
--- a/doc/source/topics/deployment.rst
+++ b/doc/source/topics/deployment.rst
@ -145,3 +145,25 @@ For a thorough discussion of the security implications of this session backend,
 please read the `Django documentation on cookie-based sessions`_.

 .. _Django documentation on cookie-based sessions: https://docs.djangoproject.com/en/dev/topics/http/sessions/#using-cookie-based-sessions
+
+Secure Site Recommendations
+---------------------------
+
+When implementing Horizon for public usage, with the website served through
+HTTPS, it is recommended that the following settings are applied.
+
+To help protect the session cookies from `cross-site scripting`_, add the
+following to ``local_settings.py`` :
+
+    CSRF_COOKIE_SECURE = True
+    SESSION_COOKIE_SECURE = True
+    SESSION_COOKIE_HTTPONLY = True
+
+Note that the CSRF_COOKIE_SECURE option is only available from Django 1.4. It
+does no harm to have the setting in earlier versions, but it does not take effect.
+
+You can also disable `browser autocompletion`_ for the authentication form by
+changing the ``password_autocomplete`` attribute to ``off`` in ``horizon/conf/default.py``
+
+.. _cross-site scripting: https://www.owasp.org/index.php/HttpOnly
+.. _browser autocompletion: https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML
--- a/openstack_dashboard/local/local_settings.py.example
+++ b/openstack_dashboard/local/local_settings.py.example
@ -14,6 +14,11 @@ TEMPLATE_DEBUG = DEBUG
 # https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header
 # SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')

+# If Horizon is being served through SSL, then uncomment the following two
+# settings to better secure the cookies from security exploits
+#CSRF_COOKIE_SECURE = True
+#SESSION_COOKIE_SECURE = True
+
 # Default OpenStack Dashboard configuration.
 HORIZON_CONFIG = {
    'dashboards': ('project', 'admin', 'settings',),