--- title: Network and Security Settings sidebar_position: 7 version: 1 --- # Network and Security Settings ## CORS :::note In Superset versions prior to `5.x` you have to install to install `flask-cors` with `pip install flask-cors` to enable CORS support. ::: The following keys in `superset_config.py` can be specified to configure CORS: - `ENABLE_CORS`: Must be set to `True` in order to enable CORS - `CORS_OPTIONS`: options passed to Flask-CORS ([documentation](https://flask-cors.readthedocs.io/en/latest/api.html#extension)) ## HTTP headers Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/) Self-described as a small Flask extension that handles setting HTTP headers that can help protect against a few common web application security issues. ## HTML Embedding of Dashboards and Charts There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard. ### Embedding a Public Direct Link to a Dashboard This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domains to display Superset content. Then a dashboard can be made publicly accessible, i.e. **bypassing authentication**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML code. #### Changing flask-talisman CSP Add to `superset_config.py` the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section: ```python TALISMAN_ENABLED = True TALISMAN_CONFIG = { "content_security_policy": { ... "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"], ... ``` Restart Superset for this configuration change to take effect. #### Making a Dashboard Public 1. Add the `'DASHBOARD_RBAC': True` [Feature Flag](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md) to `superset_config.py` 2. Add the `Public` role to your dashboard as described [here](https://superset.apache.org/docs/using-superset/creating-your-first-dashboard/#manage-access-to-dashboards) #### Embedding a Public Dashboard Now anybody can directly access the dashboard's URL. You can embed it in an iframe like so: ```html ``` #### Embedding a Chart A chart's embed code can be generated by going to a chart's edit view and then clicking at the top right on `...` > `Share` > `Embed code` ### Enabling Embedding via the SDK Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard". To enable this entry, add the following line to the `.env` file: ```text SUPERSET_FEATURE_EMBEDDED_SUPERSET=true ``` ## CSRF settings Similarly, [flask-wtf](https://flask-wtf.readthedocs.io/en/0.15.x/config/) is used to manage some CSRF configurations. If you need to exempt endpoints from CSRF (e.g. if you are running a custom auth postback endpoint), you can add the endpoints to `WTF_CSRF_EXEMPT_LIST`: ## SSH Tunneling 1. Turn on feature flag - Change [`SSH_TUNNELING`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L489) to `True` - If you want to add more security when establishing the tunnel we allow users to overwrite the `SSHTunnelManager` class [here](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L507) - You can also set the [`SSH_TUNNEL_LOCAL_BIND_ADDRESS`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L508) this the host address where the tunnel will be accessible on your VPC 2. Create database w/ ssh tunnel enabled - With the feature flag enabled you should now see ssh tunnel toggle. - Click the toggle to enable SSH tunneling and add your credentials accordingly. - Superset allows for two different types of authentication (Basic + Private Key). These credentials should come from your service provider. 3. Verify data is flowing - Once SSH tunneling has been enabled, go to SQL Lab and write a query to verify data is properly flowing. ## Domain Sharding :::note Domain Sharding is deprecated as of Superset 5.0.0, and will be removed in Superset 6.0.0. Please Enable HTTP2 to keep more open connections per domain. ::: Chrome allows up to 6 open connections per domain at a time. When there are more than 6 slices in dashboard, a lot of time fetch requests are queued up and wait for next available socket. [PR 5039](https://github.com/apache/superset/pull/5039) adds domain sharding to Superset, and this feature will be enabled by configuration only (by default Superset doesn’t allow cross-domain request). Add the following setting in your `superset_config.py` file: - `SUPERSET_WEBSERVER_DOMAINS`: list of allowed hostnames for domain sharding feature. Please create your domain shards as subdomains of your main domain for authorization to work properly on new domains. For Example: - `SUPERSET_WEBSERVER_DOMAINS=['superset-1.mydomain.com','superset-2.mydomain.com','superset-3.mydomain.com','superset-4.mydomain.com']` or add the following setting in your `superset_config.py` file if domain shards are not subdomains of main domain. - `SESSION_COOKIE_DOMAIN = '.mydomain.com'` ## Middleware Superset allows you to add your own middleware. To add your own middleware, update the `ADDITIONAL_MIDDLEWARE` key in your `superset_config.py`. `ADDITIONAL_MIDDLEWARE` should be a list of your additional middleware classes. For example, to use `AUTH_REMOTE_USER` from behind a proxy server like nginx, you have to add a simple middleware class to add the value of `HTTP_X_PROXY_REMOTE_USER` (or any other custom header from the proxy) to Gunicorn’s `REMOTE_USER` environment variable.