openstack/openstack-helm
Code Issues Proposed changes

Horizon: Expose additional security config params

Browse Source 
Expose additional Horizon security params in accordance with the
OpenStack Security Guide [0]

- Check-Dashboard-03: Is DISALLOW_IFRAME_EMBED parameter set to True
- Check-Dashboard-07: Is PASSWORD_AUTOCOMPLETE set to False

[0] https://docs.openstack.org/security-guide/dashboard/checklist.html

Change-Id: I355ddbc9fb1dcd0a6100ee650afd54680ef9ffbd
This commit is contained in:
Rick Bartra 2019-02-04 09:46:52 -05:00
parent b02ec05d76
commit e60c91e99d
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
horizon/values.yaml
View File

@ -176,6 +176,8 @@ conf:
session_cookie_secure: "False" session_cookie_secure: "False"
session_cookie_httponly: "False" session_cookie_httponly: "False"
secure_proxy_ssl_header: false secure_proxy_ssl_header: false
password_autocomplete: "off"
disallow_iframe_embed: "False"
openstack_cinder_features: openstack_cinder_features:
enable_backup: "True" enable_backup: "True"
openstack_neutron_network: openstack_neutron_network:
@ -245,10 +247,10 @@ conf:
# If Horizon is being served through SSL, then uncomment the following two # If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits # settings to better secure the cookies from security exploits
CSRF_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}' CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
SESSION_COOKIE_SECURE = '{{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}' SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
SESSION_COOKIE_HTTPONLY = '{{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}' SESSION_COOKIE_HTTPONLY = {{ .Values.conf.horizon.local_settings.config.session_cookie_httponly }}
# Overrides for OpenStack API versions. Use this setting to force the # Overrides for OpenStack API versions. Use this setting to force the
# OpenStack dashboard to use a specific API version for a given service API. # OpenStack dashboard to use a specific API version for a given service API.
@ -310,11 +312,11 @@ conf:
# Turn off browser autocompletion for forms including the login form and # Turn off browser autocompletion for forms including the login form and
# the database creation workflow if so desired. # the database creation workflow if so desired.
#HORIZON_CONFIG["password_autocomplete"] = "off" HORIZON_CONFIG["password_autocomplete"] = '{{ .Values.conf.horizon.local_settings.config.password_autocomplete }}'
# Setting this to True will disable the reveal button for password fields, # Setting this to True will disable the reveal button for password fields,
# including on the login form. # including on the login form.
HORIZON_CONFIG["disable_password_reveal"] = '{{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}' HORIZON_CONFIG["disable_password_reveal"] = {{ .Values.conf.horizon.local_settings.config.disable_password_reveal }}
LOCAL_PATH = '/tmp' LOCAL_PATH = '/tmp'
@ -874,7 +876,7 @@ conf:
# where iframes are not used in deployment. Default setting is True. # where iframes are not used in deployment. Default setting is True.
# For more information see: # For more information see:
# http://tinyurl.com/anticlickjack # http://tinyurl.com/anticlickjack
# DISALLOW_IFRAME_EMBED = True DISALLOW_IFRAME_EMBED = {{ .Values.conf.horizon.local_settings.config.disallow_iframe_embed }}
STATIC_ROOT = '/var/www/html/horizon' STATIC_ROOT = '/var/www/html/horizon'
policy: policy: