Horizon: Expose additional security config params

Expose additional Horizon security params in accordance with the OpenStack Security Guide [0] - Check-Dashboard-03: Is DISALLOW_IFRAME_EMBED parameter set to True - Check-Dashboard-07: Is PASSWORD_AUTOCOMPLETE set to False [0] https://docs.openstack.org/security-guide/dashboard/checklist.html Change-Id: I355ddbc9fb1dcd0a6100ee650afd54680ef9ffbd
2019-02-04 09:46:52 -05:00 · 2019-02-04 09:46:52 -05:00 · e60c91e99d
commit e60c91e99d
parent b02ec05d76
1 changed files with 8 additions and 6 deletions
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -176,6 +176,8 @@ conf:
        session_cookie_secure: "False"
        session_cookie_httponly: "False"
        secure_proxy_ssl_header: false
+        password_autocomplete: "off"
+        disallow_iframe_embed: "False"
        openstack_cinder_features:
          enable_backup: "True"
        openstack_neutron_network:
@ -245,10 +247,10 @@ conf:

        # If Horizon is being served through SSL, then uncomment the following two
        # settings to better secure the cookies from security exploits
-        CSRF_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}'
-        SESSION_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}'
+        CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
+        SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}

-        SESSION_COOKIE_HTTPONLY = '{{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}'
+        SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}

        # Overrides for OpenStack API versions. Use this setting to force the
        # OpenStack dashboard to use a specific API version for a given service API.
@ -310,11 +312,11 @@ conf:

        # Turn off browser autocompletion for forms including the login form and
        # the database creation workflow if so desired.
-        #HORIZON_CONFIG["password_autocomplete"] = "off"
+        HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}'

        # Setting this to True will disable the reveal button for password fields,
        # including on the login form.
-        HORIZON_CONFIG["disable_password_reveal"] = '{{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}'
+        HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}

        LOCAL_PATH = '/tmp'

@ -874,7 +876,7 @@ conf:
        # where iframes are not used in deployment. Default setting is True.
        # For more information see:
        # http://tinyurl.com/anticlickjack
-        # DISALLOW_IFRAME_EMBED = True
+        DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }}

        STATIC_ROOT = '/var/www/html/horizon'
    policy: