Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Security: do we need HSTS for oVirt services?

Description

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Most of the browsers already supports it and some websites started to enforce it.

cc

Activity

Show:

Eyal Edri June 12, 2018 at 1:29 PM

HSTS already enabled for oVirt services

Marc Dequènes (Duck) June 29, 2017 at 5:59 AM

So, the only place using it is the new ML3 server, which is on production only for redirects. We're currently using the 'httpd' Ansible role to deploy the configuration, which activates it. The role also activates 'includeSubDomains'; this is a desired setting but only when all the vhosts on the domain are able to do HTTPS. This is not the case on all oVirt infra yet so it was deactivated manually at some point IIRC.

So, this solution is not perfect but avoiding protocol downgrade is already a very important protection and we should use it. We should also use 'includeSubDomains' too when all our vhosts are ready. And we must not create new vhosts without HTTPS support even for testing. Here are my recommendations.

Former user June 28, 2017 at 2:52 PM

are we already using this?

Fixed

Details

Assignee

Reporter

Priority

Created March 6, 2017 at 3:47 PM
Updated September 2, 2018 at 3:51 PM
Resolved June 12, 2018 at 1:29 PM