Bug 1001369 – Enable django-secure middleware by default

Bug 1001369 - Enable django-secure middleware by default

Summary:	Enable django-secure middleware by default

Status:	CLOSED WONTFIX

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-django-horizon (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	4.0
Assigned To:	Matthias Runge
QA Contact:	Ami Jeain
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:	1001474
Blocks:	1032303
	Show dependency tree / graph

Reported:	2013-08-26 19:13 EDT by Grant Murphy
Modified:	2014-11-09 18:06 EST (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	When setting up a Django application such as Horizon, there are common issues. It is recommended to set up service horizon via SSL. Additionally one can use python-django-secure, which provides a script, to check if the currently configured solution is safe. More information about django-secure can be found at it's online docs http://django-secure.readthedocs.org/en/latest/
Story Points:	---
Clone Of:
Clones:	1032303 (view as bug list)
Environment:
Last Closed:	2013-11-19 03:38:30 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Grant Murphy 2013-08-26 19:13:04 EDT

This module ensures that most of the best practices and modern browser protection mechanisms are enabled. 

http://django-secure.readthedocs.org/en/latest/

Adoption for the openstack dashboard should be considered as a hardening measure.

Comment 2 Matthias Runge 2013-08-27 02:48:15 EDT

Review request for python-django-secure: https://bugzilla.redhat.com/show_bug.cgi?id=1001474

Comment 3 Matthias Runge 2013-09-02 04:45:07 EDT

The packages are here:
https://admin.fedoraproject.org/updates/python-django-secure-1.0-1.el6
https://admin.fedoraproject.org/updates/python-django-secure-1.0-1.fc19

Comment 4 Matthias Runge 2013-09-09 04:55:05 EDT

If I see this right, then
- Django-secure is more a linter than a script targeted for a productive use
- it's targeted to secure a installation, so it's good to check a config, even a default config. 
- but: this is especially targeted for hardening SSL installations. SSL configuration is beyond scope of this package.

This package enables one to make a more secure config, but I don't see a daily use case for this to have it added by default.

Comment 5 Grant Murphy 2013-10-09 19:15:17 EDT

@mrunge FWIW it is also middleware.

The SecurityMiddleware adds these features that are not a part of django by default AFAIK: 

X-Frame-Options: DENY 
HTTP Strict Transport Security 
X-Content-Type-Options: nosniff 
X-XSS-Protection: 1; mode=block 
SSL Redirect
Detecting proxied SSL

The linting like feature will give you warnings if you have settings turned off that you probably shouldn't. For example if you are using django sessions without
setting HTTP_ONLY and Secure. I think of this as more of a sanity check for deployment.

In theory we *should* be promoting secure by default and people *should* always use TLS for administrative console. However I acknowledge that this is probably not always practical. I will defer to your judgement as to whether this addition is practical or useful to enterprise users. Just wanted to clarify the purpose of this component.

Comment 6 Matthias Runge 2013-11-13 05:45:27 EST

should be documented, that it's advisable to use django-secure

Comment 7 Matthias Runge 2013-11-19 03:20:02 EST

Provided doc-text.

Still, I don't think, we should add django-secure as a requirement to python-django-horizon. Esp. we don't ship python-django-secure as part of RHOS.

Note You need to log in before you can comment on or make changes to this bug.