Bug 1001369 - Enable django-secure middleware by default
Summary: Enable django-secure middleware by default
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-django-horizon
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.0
Assignee: Matthias Runge
QA Contact: Ami Jeain
URL:
Whiteboard:
Depends On: 1001474
Blocks: 1032303
TreeView+ depends on / blocked
 
Reported: 2013-08-26 23:13 UTC by Grant Murphy
Modified: 2014-11-09 23:06 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
When setting up a Django application such as Horizon, there are common issues. It is recommended to set up service horizon via SSL. Additionally one can use python-django-secure, which provides a script, to check if the currently configured solution is safe. More information about django-secure can be found at it's online docs http://django-secure.readthedocs.org/en/latest/
Clone Of:
: 1032303 (view as bug list)
Environment:
Last Closed: 2013-11-19 08:38:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Grant Murphy 2013-08-26 23:13:04 UTC
This module ensures that most of the best practices and modern browser protection mechanisms are enabled. 

http://django-secure.readthedocs.org/en/latest/

Adoption for the openstack dashboard should be considered as a hardening measure.

Comment 2 Matthias Runge 2013-08-27 06:48:15 UTC
Review request for python-django-secure: https://bugzilla.redhat.com/show_bug.cgi?id=1001474

Comment 4 Matthias Runge 2013-09-09 08:55:05 UTC
If I see this right, then
- Django-secure is more a linter than a script targeted for a productive use
- it's targeted to secure a installation, so it's good to check a config, even a default config. 
- but: this is especially targeted for hardening SSL installations. SSL configuration is beyond scope of this package.

This package enables one to make a more secure config, but I don't see a daily use case for this to have it added by default.

Comment 5 Grant Murphy 2013-10-09 23:15:17 UTC
@mrunge FWIW it is also middleware.

The SecurityMiddleware adds these features that are not a part of django by default AFAIK: 

X-Frame-Options: DENY 
HTTP Strict Transport Security 
X-Content-Type-Options: nosniff 
X-XSS-Protection: 1; mode=block 
SSL Redirect
Detecting proxied SSL

The linting like feature will give you warnings if you have settings turned off that you probably shouldn't. For example if you are using django sessions without
setting HTTP_ONLY and Secure. I think of this as more of a sanity check for deployment.

In theory we *should* be promoting secure by default and people *should* always use TLS for administrative console. However I acknowledge that this is probably not always practical. I will defer to your judgement as to whether this addition is practical or useful to enterprise users. Just wanted to clarify the purpose of this component.

Comment 6 Matthias Runge 2013-11-13 10:45:27 UTC
should be documented, that it's advisable to use django-secure

Comment 7 Matthias Runge 2013-11-19 08:20:02 UTC
Provided doc-text.

Still, I don't think, we should add django-secure as a requirement to python-django-horizon. Esp. we don't ship python-django-secure as part of RHOS.


Note You need to log in before you can comment on or make changes to this bug.