OSSN/OSSN-0035

Summary
Deployers using Horizon for production or internet facing operations should strongly consider configuring HTTP Strict Transport Security (HSTS) for their deployment.

Affected Services / Software
Horizon, SSL, TLS, Apache, Nginx

Discussion
HTTP Strict Transport Security (HSTS) enforces that all communications with a server go over SSL. This mitigates the threat from attacks such as SSL-Strip which replaces links on the wire, stripping away https prefixes and potentially allowing an attacker to view confidential information on the wire.

HSTS can be enabled in Apache and Nginx, the two primary ways of serving Horizon at scale.

Recommended Actions
If using Apache httpd to host Horizon, add the following to the relevant 'VirtualHost' entry in your Apache httpd configuration file:

Header add Strict-Transport-Security "max-age=15768000"

We suggest also using mod_rewrite to ensure all visitors to Horizon land on a secure page. To accomplish this, add the following into your Apache httpd configuration file:

   RewriteEngine On    RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 

If using Nginx to host Horizon, add the following to your Nginx configuration file:

add_header Strict-Transport-Security max-age=15768000;

As always, test these configuration settings before deploying them to production in order to catch any bugs or errors.

Contacts / References

 * Author: Robert Clark, HP
 * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0035
 * SSL Strip : http://www.thoughtcrime.org/software/sslstrip
 * Original LaunchPad Bug : https://bugs.launchpad.net/horizon/+bug/1191050
 * OpenStack Security ML : openstack-security@lists.openstack.org
 * OpenStack Security Group : https://launchpad.net/~openstack-ossg
 * HTTP Strict Transport Security : https://www.owasp.org/index.php/HTTP_Strict_Transport_Security