fix(security): update horizon setting

This patch set updates some default horizon settings to be more secured. Change-Id: I7849cb0e9819d9e5cf4e149634e2bebee75a1c7f Signed-off-by: Tin Lam <tin@irrational.io>
2020-06-05 12:25:53 -05:00 · 2020-06-05 12:25:53 -05:00 · d122223214
commit d122223214
parent 3135f1f00c
1 changed files with 4 additions and 3 deletions
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -185,12 +185,13 @@ conf:
        debug: "False"
        keystone_multidomain_support: "True"
        keystone_default_domain: Default
-        disable_password_reveal: "False"
+        disable_password_reveal: "True"
        csrf_cookie_secure: "False"
+        enforce_password_check: "True"
        session_cookie_secure: "False"
        session_cookie_httponly: "False"
        secure_proxy_ssl_header: false
-        password_autocomplete: "off"
+        password_autocomplete: "False"
        disallow_iframe_embed: "False"
        allowed_hosts:
          - '*'
@ -593,7 +594,7 @@ conf:
        # Set this to True to display an 'Admin Password' field on the Change Password
        # form to verify that it is indeed the admin logged-in who wants to change
        # the password.
-        # ENFORCE_PASSWORD_CHECK = False
+        ENFORCE_PASSWORD_CHECK = {{ .Values.conf.horizon.local_settings.config.enforce_password_check }}

        # Modules that provide /auth routes that can be used to handle different types
        # of user authentication. Add auth plugins that require extra route handling to