OpenStack Dashboard Charm

HTTP Security headers not enabled

Bug #1836518 reported by Xav Paice on 2019-07-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard Charm	Fix Committed	Wishlist	Erhan Sunar

Bug Description

The following HTTP Security headers were not identified during a security scan and could be enabled
to further increase security:
• Cacheable HTTPS Response - Unless directed otherwise, browsers may store a local cached
copy of content received from web servers. Some browsers, including Internet Explorer, cache
content accessed via HTTPS. If sensitive information in application responses is stored in the
local cache, then this may be retrieved by other users who have access to the same computer
at a future time.

RECOMMENDATION:
Applications should return caching directives instructing browsers not to store local copies of any
sensitive data. The Web Server should return the following header:
Cache-control: no-store
Pragma: no-cache

Tags:

James Page (james-page) on 2019-07-18

Changed in charm-openstack-dashboard:
status:	New → Triaged
importance:	Undecided → Wishlist
information type:	Private Security → Public

Revision history for this message

Xav Paice (xavpaice) wrote on 2019-07-19:

Subscribed field-medium as this is a commercial requirement, for a site running Bionic/queens.

Erhan Sunar (esunar) on 2022-08-25

Changed in charm-openstack-dashboard:
assignee:	nobody → Erhan Sunar (esunar)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-08-31: Fix proposed to charm-openstack-dashboard (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-openstack-dashboard/+/855437

Erhan Sunar (esunar) on 2022-08-31

Changed in charm-openstack-dashboard:
status:	In Progress → Fix Committed

Revision history for this message

Billy Olsen (billy-olsen) wrote on 2022-08-31:

Moving back to in-progress - fix isn't committed until it lands in the repository.

Changed in charm-openstack-dashboard:
status:	Fix Committed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-05: Fix merged to charm-openstack-dashboard (master)

Reviewed: https://review.opendev.org/c/openstack/charm-openstack-dashboard/+/855437
Committed: https://opendev.org/openstack/charm-openstack-dashboard/commit/a11b43558f363d48edf6626902bfabe059d5e99e
Submitter: "Zuul (22348)"
Branch: master

commit a11b43558f363d48edf6626902bfabe059d5e99e
Author: Erhan Sunar <email address hidden>
Date: Wed Aug 31 23:43:48 2022 +0300

Disabled browser cache(excluding static files)

    Added or replaced Cache-Control and Pragma http headers with:
    Cache-Control: no-store
    Pragma: no-cache

    func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/865
    Closes-Bug: #1836518
    Change-Id: If437c5e41892e09adbaaa1add494c85671706622

Changed in charm-openstack-dashboard:
status:	In Progress → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.