HTTPS, HSTS, XSS, and SSRF

Cross Site Scripting (XSS)

Unlike many similar systems, the OpenStack dashboard allows the entire Unicode character set in most fields. This means developers have less latitude to make escaping mistakes that open attack vectors for cross-site scripting (XSS).

Dashboard provides tools for developers to avoid creating XSS vulnerabilities, but they only work if developers use them correctly. Audit any custom dashboards, paying particular attention to use of the mark_safe function, use of is_safe with custom template tags, the safe template tag, anywhere auto escape is turned off, and any JavaScript which might evaluate improperly escaped data.

Cross Site Request Forgery (CSRF)

Django has dedicated middleware for cross-site request forgery (CSRF). For further details, see the Django documentation.

The OpenStack dashboard is designed to discourage developers from introducing cross-site scripting vulnerabilities with custom dashboards as threads can be introduced. Dashboards that utilize multiple instances of JavaScript should be audited for vulnerabilities such as inappropriate use of the @csrf_exempt decorator. Any dashboard that does not follow these recommended security settings should be carefully evaluated before restrictions are relaxed.

Cross-Frame Scripting (XFS)

Legacy browsers are still vulnerable to a Cross-Frame Scripting (XFS) vulnerability, so the OpenStack dashboard provides an option DISALLOW_IFRAME_EMBED that allows extra security hardening where iframes are not used in deployment.

HTTPS

Deploy the dashboard behind a secure HTTPS server by using a valid, trusted certificate from a recognized certificate authority (CA). Private organization-issued certificates are only appropriate when the root of trust is pre-installed in all user browsers.

Configure HTTP requests to the dashboard domain to redirect to the fully qualified HTTPS URL.

HTTP Strict Transport Security (HSTS)

It is highly recommended to use HTTP Strict Transport Security (HSTS).

Note

If you are using an HTTPS proxy in front of your web server, rather than using an HTTP server with HTTPS functionality, modify the SECURE_PROXY_SSL_HEADER variable. Refer to the Django documentation for information about modifying the SECURE_PROXY_SSL_HEADER variable.

See the chapter on Secure communication for more specific recommendations and server configurations for HTTPS configurations, including the configuration of HSTS.