Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-7367

The HSTS header is not present when accessing Horizon from outside

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • rhos-18.0.0
    • None
    • horizon-operator
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • ?
    • OSPRH-450 - TLS-everywhere
    • horizon-operator-bundle-container-1.0.0-15
    • ?
    • ?
    • None
    • Hide
      .Dashboard service operators now include HSTS header

      Before this update, HSTS was only enabled in Django through the Dashboard service (horizon) application. However, user HTTPS sessions were going through the OpenShift route, where HSTS was disabled.
      With this update, HSTS is enabled on the OpenShift route.
      Show
      .Dashboard service operators now include HSTS header Before this update, HSTS was only enabled in Django through the Dashboard service (horizon) application. However, user HTTPS sessions were going through the OpenShift route, where HSTS was disabled. With this update, HSTS is enabled on the OpenShift route.
    • Bug Fix
    • Done
    • Important

      Despite configuring Django to add the HSTS headers, it's not present in Horizon responses when accessed from the outside. It's possible that it is being removed by HAProxy.

      We need to make sure HAProxy is configured either to pass those headers, or to add them itself.

              rhn-support-bshephar Brendan Shephard
              rhn-engineering-rdopiera Radomir Dopieralski
              Brendan Shephard
              rhos-dfg-ui
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: