The OpenStack Dashboard service security includes:
To secure the OpenStack Dashboard service:
Do not deploy OpenStack Dashboard on a shared subdomain with user-generated content (EoP).
Disable local image uploads through Horizon by setting
HORIZON_IMAGES_ALLOW_UPLOAD
to False in your local_settings.py file to protect against a DoS
attack.
Configure the ALLOWED_HOSTS setting with the fully qualified host name(s)
that are served by the OpenStack Dashboard (EoP).
Deploy the OpenStack Dashboard service behind the HTTPS web server with TLS v1.2.
Note
A user should set up a local DNS resolver to resolve hostnames (FQDN) of TLS-wrapped endpoints to corresponding IP addresses of these endpoints to mitigate the spoofing threat.
For HTTPS set session cookie to HTTPONLY.
To secure the session and the CSRF cookie, update the following options
in the /etc/openstack-dashboard/local_settings.py file:
SESSION_COOKIE_HTTPONLY = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
Configure your web server to send a restrictive Cross Origin Resource Sharing (CORS) header with each response allowing only the dashboard domain and protocol:
Access-Control-Allow-Origin: https://example.com/
Note
Do not allow the wild card origin to mitigate DoS threat.
Deploy the OpenStack Dashboard service to a dedicated virtual machine or container, in a demilitarized zone (DMZ) separated from other services.
Protect a Linux host and Apache web server following security best practices.
To store as a session state, use dedicated Memcache servers, not shared with other OpenStack services (EoP).
Disable HTTP methods you do not need.
Use TFA for a Web access to mitigate EoP.
Follow OWASP security guidelines for web application security.
To mitigate EoP and DoS threats, place the OpenStack Dashboard service beyond a Web Application Firewall (WAF).
To mitigate EoP, use IDPS along with real time threat monitoring software.
Prior to deploying the OpenStack Dashboard service into production, perform security assessment: