QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-04-20 16:44:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Adds a Content Security Policy (CSP) check for production environments (#21874)

Browse Source
This commit is contained in:
Michael S. Molina
2022-10-20 08:45:28 -03:00
committed by GitHub
parent b17ef18aae
commit f4da74ce8d
3 changed files with 47 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/docs/security.mdx
View File

@@ -131,6 +131,28 @@ For example, the filters `client_id=4` and `client_id=5`, applied to a role,
will result in users of that role having `client_id=4` AND `client_id=5`
added to their query, which can never be true.
### Content Security Policiy (CSP)
[Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is an added
layer of security that helps to detect and mitigate certain types of attacks, including
Cross-Site Scripting (XSS) and data injection attacks.
CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can
occur by specifying the domains that the browser should consider to be valid sources of executable scripts.
A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains,
ignoring all other scripts (including inline scripts and event-handling HTML attributes).
A policy is described using a series of policy directives, each of which describes the policy for
a certain resource type or policy area. You can check possible directives
[here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
It's extremely important to correclty configure a Content Security Policy when deploying Superset to
prevent many types of attacks. For that matter, Superset provides the ` TALISMAN_CONFIG` key in `config.py`
where admnistrators can define the policy. When running in production mode, Superset will check for the presence
of a policy and if it's not able to find one, it will issue a warning with the security risks. For environments
where CSP policies are defined outside of Superset using other software, administrators can disable
the warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
### Reporting Security Vulnerabilities
Apache Software Foundation takes a rigorous standpoint in annihilating the security issues in its