Details

The ‘HTTPONLY’ cookie attribute instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object. This session ID protection is mandatory to prevent session ID stealing through XSS attacks.

Solution

Set the value of parameter SESSION_COOKIE_HTTPONLY in /etc/openstack-dashboard/local_settings.py to True

Supportive Information

The following resource is also helpful.

• http://docs.openstack.org/security-guide/dashboard/checklist.html

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-23.

Source

• Tenable.com/audits