The OpenStack Dashboard service security includes:
To secure the OpenStack Dashboard service:
Do not deploy OpenStack Dashboard on a shared subdomain with user-generated content (EoP).
Disable local image uploads through Horizon by setting
HORIZON_IMAGES_ALLOW_UPLOAD
to False
in your local_settings.py
file to protect against a DoS
attack.
Configure the ALLOWED_HOSTS
setting with the fully qualified host name(s)
that are served by the OpenStack Dashboard (EoP).
Deploy the OpenStack Dashboard service behind the HTTPS web server with TLS v1.2.
Note
A user should set up a local DNS resolver to resolve hostnames (FQDN) of TLS-wrapped endpoints to corresponding IP addresses of these endpoints to mitigate the spoofing threat.
For HTTPS set session cookie to HTTPONLY
.
To secure the session and the CSRF
cookie, update the following options
in the /etc/openstack-dashboard/local_settings.py
file:
SESSION_COOKIE_HTTPONLY = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
Configure your web server to send a restrictive Cross Origin Resource Sharing (CORS) header with each response allowing only the dashboard domain and protocol:
Access-Control-Allow-Origin: https://example.com/
Note
Do not allow the wild card origin to mitigate DoS threat.
Deploy the OpenStack Dashboard service to a dedicated virtual machine or container, in a demilitarized zone (DMZ) separated from other services.
Protect a Linux host and Apache web server following security best practices.
To store as a session state, use dedicated Memcache servers, not shared with other OpenStack services (EoP).
Disable HTTP methods you do not need.
Use TFA for a Web access to mitigate EoP.
Follow OWASP security guidelines for web application security.
To mitigate EoP and DoS threats, place the OpenStack Dashboard service beyond a Web Application Firewall (WAF).
To mitigate EoP, use IDPS along with real time threat monitoring software.
Prior to deploying the OpenStack Dashboard service into production, perform security assessment: