openstack/horizon
Code Issues Proposed changes
f0f4295430
horizon/releasenotes/notes/bp-mitigate-breach-attacks-dd54b705e22363b0.yaml
Nishant Kumar ccdf8c55e6 Add django-debreach to horizon 
BREACH is a category of vulnerabilities and not a specific
instance affecting a specific piece of software. To be vulnerable,
a web application must:

  * Be served from a server that uses HTTP-level compression
  * Reflect user-input in HTTP response bodies
  * Reflect a secret (such as a CSRF token) in HTTP response bodies

More details on breach attack - http://breachattack.com/

Since horizon falls under this category, we can include django-debreach
module within horizon as a requirement which provides mitigation against the breach attacks.

https://github.com/lpomfrey/django-debreach

CSRF token masking is a built-in feature within Django 1.10+,
therefore only content-length modification feature provided by django-debreach
can be enabled.

Depends-On: I32f11e089fc794444ef267b463c7fb2ad8cfa96a

Change-Id: I2b4999ca7b0e1762c5273c4fe96f5ee768f44339
Blueprint: mitigate-breach-attacks
2018-08-25 07:49:32 +05:30

8 lines
247 B
YAML
Raw Blame History

---
features:
- |
[:blueprint:`mitigate-breach-attacks`]
Adding Django-debreach module to mitigate breach attacks. Enabling
the RandomCommentMiddleware to counter breach attack by randomising
the content length of each response.
View Git Blame Copy Permalink