openstack/openstack-helm
Code Issues Proposed changes

Horizon – API Handling – HTTP Security Headers Not Present

Browse Source 
Added new X-Content-Type-Options: nosniff header to make sure the browser
does not try to detect a different Content-Type than what is actually
sent (can lead to XSS)

Added new Header and set X-Permitted-Cross-Domain-Policies: "none"

Change-Id: I6f89ffb44ad805039c4074889a7c15fbef6fc95e
This commit is contained in:
NarlaSandeepNarlaSaibaba 2019-10-09 14:45:18 -05:00 committed by Steve Wilkerson
parent 6e4ab4aa0c
commit 243f74f10d
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
horizon/values.yaml
View File

@ -167,19 +167,17 @@ conf:
# Require all denied # Require all denied
#</DirectoryMatch> #</DirectoryMatch>
# #Security-Settings
# Setting this header will prevent MSIE from interpreting files as something # Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers. # else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled. # Requires mod_headers to be enabled.
# #
#Header set X-Content-Type-Options: "nosniff" Header set X-Content-Type-Options: "nosniff"
Header set X-Permitted-Cross-Domain-Policies: "none"
#
# Setting this header will prevent other sites from embedding pages from this # Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks. # site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled. # Requires mod_headers to be enabled.
# #
#Header set X-Frame-Options: "sameorigin"
local_settings: local_settings:
config: config:
# Use "True" and "False" as Titlecase strings with quotes, boolean # Use "True" and "False" as Titlecase strings with quotes, boolean