openstack/openstack-ansible
Code Issues Proposed changes
openstack-ansible/doc/source/user/security/security-headers.rst
James Gibson 8ad37b254d Add documentation of security improvements made to Openstack Ansible 
In the past couple of weeks a number of security patches have
been made to openstack-ansible, this patch documents these
changes. Hopefully the level of the documentation gives the users
enough background on what the changes are and how to use them,
without going into the detailed specifics of each feature.

Regarding the upgrade to TLS for haproxy internal VIP and backends
in existing deployments, I have some ideas on how this could be
done without causing downtime but have not had chance to test
this yet. The idea is to use a TCP frontend that accepts both
HTTP and HTTPS traffic and redirects to correct frontend for each.

Change-Id: Idc7b1c8908b150eaaf12980612083d31d3a5b669
2021-12-08 10:24:43 +00:00

128 lines
5.1 KiB
ReStructuredText
Raw Blame History

Security Headers
================
Security headers are HTTP headers that can be used to increase the security of
a web application by restricting what modern browsers are able to run.
In OpenStack-Ansible, security headers are implemented in haproxy as all the
public endpoints reside behind it.
The following headers are enabled by default on all the haproxy interfaces
that implement TLS, but only for the Horizon service. The security headers can
be implemented on other haproxy services, but only services used by
browsers will make use of the headers.
HTTP Strict Transport Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The `OpenStack TLS Security Guide`_ recommends that all production deployments use
HTTP strict transport security (HSTS).
.. _OpenStack TLS Security Guide: https://docs.openstack.org/security-guide/secure-communication/tls-proxies-and-http-services.html#http-strict-transport-security
By design, this header is difficult to disable once set. It is recommended that
during testing you set a short time of 1 day and after testing increase the time
to 1 year.
To change the default max age to 1 day, override the variable
``haproxy_security_headers_max_age`` in the
``/etc/openstack_deploy/user_variables.yml`` file:
.. code-block:: yaml
haproxy_security_headers_max_age: 86400
If you would like your domain included in the HSTS preload list, which is built
into browsers, before submitting your request to be added to the HSTS preload
list you must add the ``preload`` token to your response header. The ``preload``
token indicates to the maintainers of HSTS preload list that you are happy to
have your site included.
.. code-block:: yaml
- "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains; preload;\""
X-Content-Type-Options
~~~~~~~~~~~~~~~~~~~~~~
The ``X-Content-Type-Options`` header prevents MIME type sniffing.
This functionality can be changed by overriding the list of headers in
``haproxy_security_headers`` variable in the
``/etc/openstack_deploy/user_variables.yml`` file.
Referrer Policy
~~~~~~~~~~~~~~~
The ``Referrer-Policy`` header controls how much referrer information is sent
with requests. It defaults to ``same-origin``, which does not send the origin
path for cross-origin requests.
This functionality can be changed by overriding the list of headers in
``haproxy_security_headers`` variable in the
``/etc/openstack_deploy/user_variables.yml`` file.
Permission Policy
~~~~~~~~~~~~~~~~~
The ``Permissions-Policy`` header allows you to selectively enable, disable or
modify the use of browser features and APIs, previously known as Feature Policy.
By default this header is set to block access to all features apart from the
following from the same origin; fullscreen, clipboard read, clipboard
write and spatial navigation.
This functionality can be changed by overriding the list of headers in
``haproxy_security_headers`` variable in the
``/etc/openstack_deploy/user_variables.yml`` file.
Content Security Policy (CSP)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The ``Content-Security-Policy`` header allows you to control what resources a
browser is allowed to load for a given page, which helps to mitigate the risks
from Cross-Site Scripting (XSS) and data injection attacks.
By default, the Content Security Policy (CSP) enables a minimum set of resources
to allow Horizon to work, which includes access the Nova console. If you require
access to other resources these can be set by overriding the
``haproxy_security_headers_csp`` variable in the
``/etc/openstack_deploy/user_variables.yml`` file.
Report Only
-----------
Implementing CSP could lead to broken content if a browser is blocked from
accessing certain resources, therefore it is recommended that when testing CSP
you use the ``Content-Security-Policy-Report-Only`` header, instead of
``Content-Security-Policy``, this reports CSP violations to the browser console,
but does not enforce the policy.
To set the CSP policy to report only by overriding the
``haproxy_security_headers_csp_report_only`` variable to ``True`` in the
``/etc/openstack_deploy/user_variables.yml`` file:
.. code-block:: yaml
haproxy_security_headers_csp_report_only: True
Reporting Violations
--------------------
It is recommended that you monitor attempted CSP violations in production, this
is achieved by setting the ``report-uri`` and ``report-to`` tokens.
Federated Login
---------------
When using federated login you will need to override the default Content
Security Policy to allow access to your authorisation server by overriding the
``haproxy_horizon_csp`` variable in the
``/etc/openstack_deploy/user_variables.yml`` file:
.. code-block:: yaml
haproxy_horizon_csp: "http-response set-header Content-Security-Policy \"default-src 'self'; frame-ancestors 'self'; form-action 'self' {{ external_lb_vip_address }}:5000 <YOUR-AUTHORISATION-SERVER-ORIGIN>; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }};\""
View Git Blame Copy Permalink