The OpenStack Dashboard service security includes:

  • Linux node security
  • Django security
  • Application security (Horizon)
  • Apache httpd web application container and its AppArmor/SELinux profiles
  • Apache httpd and mod_wsgi configuration
  • Apache TLS and cipher suite configuration

To secure the OpenStack Dashboard service:

  • Do not deploy OpenStack Dashboard on a shared subdomain with user-generated content (EoP).

  • Disable local image uploads through Horizon by setting HORIZON_IMAGES_ALLOW_UPLOAD to False in your local_settings.py file to protect against a DoS attack.

  • Configure the ALLOWED_HOSTS setting with the fully qualified host name(s) that are served by the OpenStack Dashboard (EoP).

  • Deploy the OpenStack Dashboard service behind the HTTPS web server with TLS v1.2.


    A user should set up a local DNS resolver to resolve hostnames (FQDN) of TLS-wrapped endpoints to corresponding IP addresses of these endpoints to mitigate the spoofing threat.

  • For HTTPS set session cookie to HTTPONLY.

  • To secure the session and the CSRF cookie, update the following options in the /etc/openstack-dashboard/local_settings.py file:

  • Configure your web server to send a restrictive Cross Origin Resource Sharing (CORS) header with each response allowing only the dashboard domain and protocol:

    Access-Control-Allow-Origin: https://example.com/


    Do not allow the wild card origin to mitigate DoS threat.

  • Deploy the OpenStack Dashboard service to a dedicated virtual machine or container, in a demilitarized zone (DMZ) separated from other services.

  • Protect a Linux host and Apache web server following security best practices.

  • To store as a session state, use dedicated Memcache servers, not shared with other OpenStack services (EoP).

  • Disable HTTP methods you do not need.

  • Use TFA for a Web access to mitigate EoP.

  • Follow OWASP security guidelines for web application security.

  • To mitigate EoP and DoS threats, place the OpenStack Dashboard service beyond a Web Application Firewall (WAF).

  • To mitigate EoP, use IDPS along with real time threat monitoring software.

  • Prior to deploying the OpenStack Dashboard service into production, perform security assessment:

    1. Scan all publicly exposed IPs with a vulnerability assessment tool.
    2. Run a penetration test according to the OWASP top ten guideline.