-
Nishant Kumar authored
BREACH is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must: * Be served from a server that uses HTTP-level compression * Reflect user-input in HTTP response bodies * Reflect a secret (such as a CSRF token) in HTTP response bodies More details on breach attack - http://breachattack.com/ Since horizon falls under this category, we can include django-debreach module within horizon as a requirement which provides mitigation against the breach attacks. https://github.com/lpomfrey/django-debreach CSRF token masking is a built-in feature within Django 1.10+, therefore only content-length modification feature provided by django-debreach can be enabled. Depends-On: I32f11e089fc794444ef267b463c7fb2ad8cfa96a Change-Id: I2b4999ca7b0e1762c5273c4fe96f5ee768f44339 Blueprint: mitigate-breach-attacks
ccdf8c55Nishant Kumar authoredBREACH is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must: * Be served from a server that uses HTTP-level compression * Reflect user-input in HTTP response bodies * Reflect a secret (such as a CSRF token) in HTTP response bodies More details on breach attack - http://breachattack.com/ Since horizon falls under this category, we can include django-debreach module within horizon as a requirement which provides mitigation against the breach attacks. https://github.com/lpomfrey/django-debreach CSRF token masking is a built-in feature within Django 1.10+, therefore only content-length modification feature provided by django-debreach can be enabled. Depends-On: I32f11e089fc794444ef267b463c7fb2ad8cfa96a Change-Id: I2b4999ca7b0e1762c5273c4fe96f5ee768f44339 Blueprint: mitigate-breach-attacks
This project manages its dependencies using pip.
Learn more
Loading