Bug 1001369 - Enable django-secure middleware by default
Enable django-secure middleware by default
Status: CLOSED WONTFIX
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-django-horizon (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 4.0
Assigned To: Matthias Runge
Ami Jeain
: Triaged
Depends On: 1001474
Blocks: 1032303
  Show dependency treegraph
 
Reported: 2013-08-26 19:13 EDT by Grant Murphy
Modified: 2014-11-09 18:06 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
When setting up a Django application such as Horizon, there are common issues. It is recommended to set up service horizon via SSL. Additionally one can use python-django-secure, which provides a script, to check if the currently configured solution is safe. More information about django-secure can be found at it's online docs http://django-secure.readthedocs.org/en/latest/
Story Points: ---
Clone Of:
: 1032303 (view as bug list)
Environment:
Last Closed: 2013-11-19 03:38:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Grant Murphy 2013-08-26 19:13:04 EDT
This module ensures that most of the best practices and modern browser protection mechanisms are enabled. 

http://django-secure.readthedocs.org/en/latest/

Adoption for the openstack dashboard should be considered as a hardening measure.
Comment 2 Matthias Runge 2013-08-27 02:48:15 EDT
Review request for python-django-secure: https://bugzilla.redhat.com/show_bug.cgi?id=1001474
Comment 4 Matthias Runge 2013-09-09 04:55:05 EDT
If I see this right, then
- Django-secure is more a linter than a script targeted for a productive use
- it's targeted to secure a installation, so it's good to check a config, even a default config. 
- but: this is especially targeted for hardening SSL installations. SSL configuration is beyond scope of this package.

This package enables one to make a more secure config, but I don't see a daily use case for this to have it added by default.
Comment 5 Grant Murphy 2013-10-09 19:15:17 EDT
@mrunge FWIW it is also middleware.

The SecurityMiddleware adds these features that are not a part of django by default AFAIK: 

X-Frame-Options: DENY 
HTTP Strict Transport Security 
X-Content-Type-Options: nosniff 
X-XSS-Protection: 1; mode=block 
SSL Redirect
Detecting proxied SSL

The linting like feature will give you warnings if you have settings turned off that you probably shouldn't. For example if you are using django sessions without
setting HTTP_ONLY and Secure. I think of this as more of a sanity check for deployment.

In theory we *should* be promoting secure by default and people *should* always use TLS for administrative console. However I acknowledge that this is probably not always practical. I will defer to your judgement as to whether this addition is practical or useful to enterprise users. Just wanted to clarify the purpose of this component.
Comment 6 Matthias Runge 2013-11-13 05:45:27 EST
should be documented, that it's advisable to use django-secure
Comment 7 Matthias Runge 2013-11-19 03:20:02 EST
Provided doc-text.

Still, I don't think, we should add django-secure as a requirement to python-django-horizon. Esp. we don't ship python-django-secure as part of RHOS.

Note You need to log in before you can comment on or make changes to this bug.