From d1222232144a6a7991eed49877533acf9fb4bca3 Mon Sep 17 00:00:00 2001
From: Tin Lam <tin@irrational.io>
Date: Fri, 5 Jun 2020 12:25:53 -0500
Subject: [PATCH] fix(security): update horizon setting

This patch set updates some default horizon settings to be more secured.

Change-Id: I7849cb0e9819d9e5cf4e149634e2bebee75a1c7f
Signed-off-by: Tin Lam <tin@irrational.io>
---
 horizon/values.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/horizon/values.yaml b/horizon/values.yaml
index a52245bcb3..1d977f18db 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -185,12 +185,13 @@ conf:
         debug: "False"
         keystone_multidomain_support: "True"
         keystone_default_domain: Default
-        disable_password_reveal: "False"
+        disable_password_reveal: "True"
         csrf_cookie_secure: "False"
+        enforce_password_check: "True"
         session_cookie_secure: "False"
         session_cookie_httponly: "False"
         secure_proxy_ssl_header: false
-        password_autocomplete: "off"
+        password_autocomplete: "False"
         disallow_iframe_embed: "False"
         allowed_hosts:
           - '*'
@@ -593,7 +594,7 @@ conf:
         # Set this to True to display an 'Admin Password' field on the Change Password
         # form to verify that it is indeed the admin logged-in who wants to change
         # the password.
-        # ENFORCE_PASSWORD_CHECK = False
+        ENFORCE_PASSWORD_CHECK = {{ .Values.conf.horizon.local_settings.config.enforce_password_check }}
 
         # Modules that provide /auth routes that can be used to handle different types
         # of user authentication. Add auth plugins that require extra route handling to