openstack-ansible/doc/source/user/security/security-headers.rst
James Gibson 8ad37b254d Add documentation of security improvements made to Openstack Ansible
In the past couple of weeks a number of security patches have
been made to openstack-ansible, this patch documents these
changes. Hopefully the level of the documentation gives the users
enough background on what the changes are and how to use them,
without going into the detailed specifics of each feature.

Regarding the upgrade to TLS for haproxy internal VIP and backends
in existing deployments, I have some ideas on how this could be
done without causing downtime but have not had chance to test
this yet. The idea is to use a TCP frontend that accepts both
HTTP and HTTPS traffic and redirects to correct frontend for each.

Change-Id: Idc7b1c8908b150eaaf12980612083d31d3a5b669
2021-12-08 10:24:43 +00:00

5.1 KiB

Security Headers

Security headers are HTTP headers that can be used to increase the security of a web application by restricting what modern browsers are able to run.

In OpenStack-Ansible, security headers are implemented in haproxy as all the public endpoints reside behind it.

The following headers are enabled by default on all the haproxy interfaces that implement TLS, but only for the Horizon service. The security headers can be implemented on other haproxy services, but only services used by browsers will make use of the headers.

HTTP Strict Transport Security

The OpenStack TLS Security Guide recommends that all production deployments use HTTP strict transport security (HSTS).

By design, this header is difficult to disable once set. It is recommended that during testing you set a short time of 1 day and after testing increase the time to 1 year.

To change the default max age to 1 day, override the variable haproxy_security_headers_max_age in the /etc/openstack_deploy/user_variables.yml file:

haproxy_security_headers_max_age: 86400

If you would like your domain included in the HSTS preload list, which is built into browsers, before submitting your request to be added to the HSTS preload list you must add the preload token to your response header. The preload token indicates to the maintainers of HSTS preload list that you are happy to have your site included.

- "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains; preload;\""

X-Content-Type-Options

The X-Content-Type-Options header prevents MIME type sniffing.

This functionality can be changed by overriding the list of headers in haproxy_security_headers variable in the /etc/openstack_deploy/user_variables.yml file.

Referrer Policy

The Referrer-Policy header controls how much referrer information is sent with requests. It defaults to same-origin, which does not send the origin path for cross-origin requests.

This functionality can be changed by overriding the list of headers in haproxy_security_headers variable in the /etc/openstack_deploy/user_variables.yml file.

Permission Policy

The Permissions-Policy header allows you to selectively enable, disable or modify the use of browser features and APIs, previously known as Feature Policy.

By default this header is set to block access to all features apart from the following from the same origin; fullscreen, clipboard read, clipboard write and spatial navigation.

This functionality can be changed by overriding the list of headers in haproxy_security_headers variable in the /etc/openstack_deploy/user_variables.yml file.

Content Security Policy (CSP)

The Content-Security-Policy header allows you to control what resources a browser is allowed to load for a given page, which helps to mitigate the risks from Cross-Site Scripting (XSS) and data injection attacks.

By default, the Content Security Policy (CSP) enables a minimum set of resources to allow Horizon to work, which includes access the Nova console. If you require access to other resources these can be set by overriding the haproxy_security_headers_csp variable in the /etc/openstack_deploy/user_variables.yml file.

Report Only

Implementing CSP could lead to broken content if a browser is blocked from accessing certain resources, therefore it is recommended that when testing CSP you use the Content-Security-Policy-Report-Only header, instead of Content-Security-Policy, this reports CSP violations to the browser console, but does not enforce the policy.

To set the CSP policy to report only by overriding the haproxy_security_headers_csp_report_only variable to True in the /etc/openstack_deploy/user_variables.yml file:

haproxy_security_headers_csp_report_only: True

Reporting Violations

It is recommended that you monitor attempted CSP violations in production, this is achieved by setting the report-uri and report-to tokens.

Federated Login

When using federated login you will need to override the default Content Security Policy to allow access to your authorisation server by overriding the haproxy_horizon_csp variable in the /etc/openstack_deploy/user_variables.yml file:

haproxy_horizon_csp: "http-response set-header Content-Security-Policy \"default-src 'self'; frame-ancestors 'self'; form-action 'self' {{ external_lb_vip_address }}:5000 <YOUR-AUTHORISATION-SERVER-ORIGIN>; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }};\""