[JIRA] (OVIRT-1231) Security: do we need HSTS for oVirt services?

Marc Dequènes (Duck) (oVirt JIRA) jira at ovirt-jira.atlassian.net
Thu Jun 29 05:59:23 UTC 2017


    [ https://ovirt-jira.atlassian.net/browse/OVIRT-1231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=33023#comment-33023 ] 

Marc Dequènes (Duck) commented on OVIRT-1231:
---------------------------------------------

So, the only place using it is the new ML3 server, which is on production only for redirects. We're currently using the 'httpd' Ansible role to deploy the configuration, which activates it. The role also activates 'includeSubDomains'; this is a desired setting but only when all the vhosts on the domain are able to do HTTPS. This is not the case on all oVirt infra yet so it was deactivated manually at some point IIRC.

So, this solution is not perfect but avoiding protocol downgrade is already a very important protection and we should use it. We should also use 'includeSubDomains' too when all our vhosts are ready. And we must not create new vhosts without HTTPS support even for testing. Here are my recommendations.


> Security: do we need HSTS for oVirt services?
> ---------------------------------------------
>
>                 Key: OVIRT-1231
>                 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1231
>             Project: oVirt - virtualization made easy
>          Issue Type: New Feature
>            Reporter: eedri
>            Assignee: infra
>
> https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> Most of the browsers already supports it and some websites started to enforce it.
> cc [~dfediuck]



--
This message was sent by Atlassian JIRA
(v1000.1092.0#100053)


More information about the Infra mailing list