Jump to: navigation, search


Revision as of 09:48, 22 July 2016 by Lhinds (talk | contribs) (Contacts / References)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Configure Horizon to mitigate BREACH/CRIME attacks


Horizon is vulnerable to BREACH/CRIME style chosen plaintext attacks in it's default configuration.

Affected Services / Software

Horizon, Django, Apache, Nginx, SSL, TLS


The BREACH attack may be used to compromise Django's cross-site request forgery (CSRF) protection. OpenStack's Horizon web dashboard is built on the Django framework, and is consequently affected. There is no fix available in Horizon itself, but there are protection options.

BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS.

Recommended Actions

Since BREACH is related to serving compressed data, disabling compression of web responses can be used to mitigate these type of attacks. Some methods for this include:

Disable Django's GZIP Middleware:

Disable GZip compression in your web server's config. For Apache httpd, you can do this by disabling mod_deflate:

For Nginx, you can do this by disabling the gzip module:

Contacts / References