OpenStack Horizon – CSRF_COOKIE_SECURE parameter set to True Details CSRF (Cross-site request forgery) is an attack which forces an end user to execute unauthorized commands on a web...
OpenStack Horizon – disable_password_reveal parameter set to True Details It is recommended not to reveal password fields. Solution Set the value of parameter disable_password_reveal in /etc/openstack-dashboard/local_settings.py to True...
OpenStack Horizon – password_autocomplete parameter set to off Details Common feature that applications use to provide users a convenience is to cache the password locally in the browser...
OpenStack Horizon – SESSION_COOKIE_HTTPONLY parameter set to True Details The ‘HTTPONLY’ cookie attribute instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access...
OpenStack Horizon – SESSION_COOKIE_SECURE parameter set to True Details The ‘SECURE’ cookie attribute instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection. This...
OpenStack Horizon – strict permissions set for horizon configuration files – /etc/openstack-dashboard/local_settings.py Details It is recommended to set strict access permissions for configuration files. 640 or better. Solution Set file permissions to...
OpenStack Horizon – user/group of config files set to root/horizon – /etc/openstack-dashboard/local_settings.py Details Configuration files contain critical parameters and information required for smooth functioning of the component. If an unprivileged user, either...
OpenStack Horizon – USE_SSL parameter set to True Details Openstack services communicate with each other using various protocols and the communication might involve sensitive/confidential information. An attacker may...