openstack/openstack-ansible
Code Issues Proposed changes
c7200cc132
openstack-ansible/releasenotes/notes/security-headers-87de60203899fdbb.yaml
James Gibson b6fe07ecf8 Add security headers to HAProxy Horizon service 
Security headers are HTTP response headers, that when set increase
the security of your application by restricting modern browsers from
running easily preventable vulnerabilities.

You can inspect your site using https://securityheaders.com/

This patch implements the following headers:
- strict-transport-security - HSTS enforces the use of HTTPS
- x-content-type-options - Stops the browser from changing the Content-Type
- referrer-policy - Control what information a browser includes
when it navigates from a page
- content-security-policy - CSP protects sites from XSS attacks by
controlling what resources a browser is able to load

Only enabled if HTTPS in use.

There is the option to extend to all haproxy services in the
future, but as the headers are only used by browser there maybe
limited benefit to doing this other than for keystone and
console services.

Each of the headers set should have no effect on the operation of
the site apart from the CSP header. As the CSP header restricts
what resources a browser is allowed to load, if for example a
Openstack instance is using federated login, CSP will block the
redirect. To fix the the admin will need to override the CSP,
using `haproxy_horizon_csp` to set the allowed list of resources.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/818532

Change-Id: Ia99da8e4687b0a1d440f86d1c8be723ce2bfe061
2021-12-01 16:56:38 +00:00

20 lines
1.1 KiB
YAML
Raw Blame History

---
security:
- |
The following security headers were added to the haproxy Horizon service:
`strict-transport-security`, `x-content-type-options`, `referrer-policy`
and `content-security-policy`.
Care should be taken when deploying the `strict-transport-security` header,
as this header implements Trust on First Use security, meaning that
after a browser first visits the page the browser will enforce the use of
HTTPS until the max age time has expired.
For the time being the `strict-transport-security` `preload` token which
indicates that you are happy to have your site included in the HSTS preload
list that is built into browsers has been excluded.
The headers can be disabled by setting `haproxy_security_headers: []` and
the CSP (Content Security Policy) for Horizon can be overridden to support
things like federated login by setting `haproxy_horizon_csp`.
There is the option to extend to all haproxy services in the future, but as
the headers are only used by browsers there maybe limited benefit to doing
this other than for keystone and console services.
View Git Blame Copy Permalink