mitigate breach attacks using django-debreach
BREACH is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must:
* Be served from a server that uses HTTP-level compression
* Reflect user-input in HTTP response bodies
* Reflect a secret (such as a CSRF token) in HTTP response bodies
Since horizon falls under this category, we can include django-debreach module within horizon as a requirement which provides mitigation against the breach attacks.
https:/
CSRF token masking is a built-in feature within Django 1.10+, therefore only content-length modification feature provided by django-debreach can be enabled.
Blueprint information
- Status:
- Complete
- Approver:
- Ivan Kolodyazhny
- Priority:
- Medium
- Drafter:
- Nishant Kumar
- Direction:
- Approved
- Assignee:
- Nishant Kumar
- Definition:
- Approved
- Series goal:
- Accepted for 15.0.0-stein
- Implementation:
-
Implemented
- Milestone target:
-
stein-1
- Started by
- Akihiro Motoki
- Completed by
- Akihiro Motoki
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Add django-debreach to horizon