b6fe07ecf8
Security headers are HTTP response headers, that when set increase the security of your application by restricting modern browsers from running easily preventable vulnerabilities. You can inspect your site using https://securityheaders.com/ This patch implements the following headers: - strict-transport-security - HSTS enforces the use of HTTPS - x-content-type-options - Stops the browser from changing the Content-Type - referrer-policy - Control what information a browser includes when it navigates from a page - content-security-policy - CSP protects sites from XSS attacks by controlling what resources a browser is able to load Only enabled if HTTPS in use. There is the option to extend to all haproxy services in the future, but as the headers are only used by browser there maybe limited benefit to doing this other than for keystone and console services. Each of the headers set should have no effect on the operation of the site apart from the CSP header. As the CSP header restricts what resources a browser is allowed to load, if for example a Openstack instance is using federated login, CSP will block the redirect. To fix the the admin will need to override the CSP, using `haproxy_horizon_csp` to set the allowed list of resources. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/818532 Change-Id: Ia99da8e4687b0a1d440f86d1c8be723ce2bfe061
1.1 KiB
1.1 KiB