diff --git a/horizon/templates/configmap-etc.yaml b/horizon/templates/configmap-etc.yaml
index bfdfc18733..2a812a61b2 100644
--- a/horizon/templates/configmap-etc.yaml
+++ b/horizon/templates/configmap-etc.yaml
@@ -25,6 +25,9 @@ type: Opaque
data:
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.apache "key" "horizon.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.local_settings.template "key" "local_settings" "format" "Secret" ) | indent 2 }}
+{{- if .Values.conf.horizon.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
{{- range $key, $value := .Values.conf.horizon.policy }}
{{ printf "%s_policy.json" $key }}: {{ $value | toPrettyJson | b64enc }}
{{- end }}
diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
index 688e880a77..5a636471fd 100644
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@@ -102,6 +102,12 @@ spec:
mountPath: /etc/apache2/sites-enabled/000-default.conf
subPath: horizon.conf
readOnly: true
+ {{- if .Values.conf.horizon.security }}
+ - name: horizon-etc
+ mountPath: /etc/apache2/conf-available/security.conf
+ subPath: security.conf
+ readOnly: true
+ {{- end }}
- name: horizon-bin
mountPath: /var/www/cgi-bin/horizon/django.wsgi
subPath: django.wsgi
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 50a337e5bb..846982d204 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -97,6 +97,72 @@ conf:
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
+ security: |
+ #
+ # Disable access to the entire file system except for the directories that
+ # are explicitly allowed later.
+ #
+ # This currently breaks the configurations that come with some web application
+ # Debian packages.
+ #
+ #
+ # AllowOverride None
+ # Require all denied
+ #
+
+ # Changing the following options will not really affect the security of the
+ # server, but might make attacks slightly more difficult in some cases.
+
+ #
+ # ServerTokens
+ # This directive configures what you return as the Server HTTP response
+ # Header. The default is 'Full' which sends information about the OS-Type
+ # and compiled in modules.
+ # Set to one of: Full | OS | Minimal | Minor | Major | Prod
+ # where Full conveys the most information, and Prod the least.
+ ServerTokens Prod
+
+ #
+ # Optionally add a line containing the server version and virtual host
+ # name to server-generated pages (internal error documents, FTP directory
+ # listings, mod_status and mod_info output etc., but not CGI generated
+ # documents or custom error documents).
+ # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+ # Set to one of: On | Off | EMail
+ ServerSignature Off
+
+ #
+ # Allow TRACE method
+ #
+ # Set to "extended" to also reflect the request body (only for testing and
+ # diagnostic purposes).
+ #
+ # Set to one of: On | Off | extended
+ TraceEnable Off
+
+ #
+ # Forbid access to version control directories
+ #
+ # If you use version control systems in your document root, you should
+ # probably deny access to their directories. For example, for subversion:
+ #
+ #
+ # Require all denied
+ #
+
+ #
+ # Setting this header will prevent MSIE from interpreting files as something
+ # else than declared by the content type in the HTTP headers.
+ # Requires mod_headers to be enabled.
+ #
+ #Header set X-Content-Type-Options: "nosniff"
+
+ #
+ # Setting this header will prevent other sites from embedding pages from this
+ # site as frames. This defends against clickjacking attacks.
+ # Requires mod_headers to be enabled.
+ #
+ #Header set X-Frame-Options: "sameorigin"
local_settings:
config:
# Use "True" and "False" as Titlecase strings with quotes, boolean