diff --git a/docker/docker-bootstrap.sh b/docker/docker-bootstrap.sh index d20f28007f1..35871fc4208 100755 --- a/docker/docker-bootstrap.sh +++ b/docker/docker-bootstrap.sh @@ -80,7 +80,23 @@ case "${1}" in ;; app) echo "Starting web app (using development server)..." - flask run -p $PORT --reload --debugger --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*" + + # Environment-based debugger control for security + # Only enable Werkzeug interactive debugger when explicitly requested + # Modern Werkzeug (3.0+) includes PIN protection, but defense-in-depth approach + # Override FLASK_DEBUG so the effective state matches SUPERSET_DEBUG_ENABLED even + # when FLASK_DEBUG=true is inherited from docker/.env or .flaskenv + if [[ "${SUPERSET_DEBUG_ENABLED:-}" == "true" ]]; then + export FLASK_DEBUG=1 + DEBUGGER_FLAG="--debugger" + echo " ⚠️ Werkzeug debugger enabled (requires PIN for /console access)" + else + export FLASK_DEBUG=0 + DEBUGGER_FLAG="--no-debugger" + echo " 🔒 Werkzeug debugger disabled (set SUPERSET_DEBUG_ENABLED=true to enable)" + fi + + flask run -p $PORT --reload $DEBUGGER_FLAG --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*" ;; app-gunicorn) echo "Starting web app..." diff --git a/docs/admin_docs/installation/pypi.mdx b/docs/admin_docs/installation/pypi.mdx index 820ac776b95..7dd5b4b8e79 100644 --- a/docs/admin_docs/installation/pypi.mdx +++ b/docs/admin_docs/installation/pypi.mdx @@ -157,8 +157,15 @@ superset load_examples superset init # To start a development web server on port 8088, use -p to bind to another port -superset run -p 8088 --with-threads --reload --debugger +superset run -p 8088 --with-threads --reload + +# For debugging with interactive console (⚠️ localhost only) +# superset run -p 8088 --with-threads --reload --debugger ``` +:::warning Security Note +The `--debugger` flag enables Werkzeug's interactive console at `/console`. Only use this for local development and never bind to `0.0.0.0` or expose the server to networks when debugging is enabled. +::: + If everything worked, you should be able to navigate to `hostname:port` in your browser (e.g. locally by default at `localhost:8088`) and login using the username and password you created. diff --git a/docs/admin_docs_versioned_docs/version-6.1.0/installation/pypi.mdx b/docs/admin_docs_versioned_docs/version-6.1.0/installation/pypi.mdx index 820ac776b95..7dd5b4b8e79 100644 --- a/docs/admin_docs_versioned_docs/version-6.1.0/installation/pypi.mdx +++ b/docs/admin_docs_versioned_docs/version-6.1.0/installation/pypi.mdx @@ -157,8 +157,15 @@ superset load_examples superset init # To start a development web server on port 8088, use -p to bind to another port -superset run -p 8088 --with-threads --reload --debugger +superset run -p 8088 --with-threads --reload + +# For debugging with interactive console (⚠️ localhost only) +# superset run -p 8088 --with-threads --reload --debugger ``` +:::warning Security Note +The `--debugger` flag enables Werkzeug's interactive console at `/console`. Only use this for local development and never bind to `0.0.0.0` or expose the server to networks when debugging is enabled. +::: + If everything worked, you should be able to navigate to `hostname:port` in your browser (e.g. locally by default at `localhost:8088`) and login using the username and password you created. diff --git a/docs/developer_docs/contributing/development-setup.md b/docs/developer_docs/contributing/development-setup.md index 4760dd550d3..c0ac0d165bb 100644 --- a/docs/developer_docs/contributing/development-setup.md +++ b/docs/developer_docs/contributing/development-setup.md @@ -102,6 +102,8 @@ Affecting the Docker build process: save some precious time on startup by `SUPERSET_LOAD_EXAMPLES=no docker compose up` - **SUPERSET_LOG_LEVEL (default=info)**: Can be set to debug, info, warning, error, critical for more verbose logging +- **SUPERSET_DEBUG_ENABLED (default=false)**: Enable Werkzeug debugger with interactive console. + Set to `true` for debugging: `SUPERSET_DEBUG_ENABLED=true docker compose up` For more env vars that affect your configuration, see this [superset_config.py](https://github.com/apache/superset/blob/master/docker/pythonpath_dev/superset_config.py)