Bug description
https://github.com/apache/superset/pull/31590/files#r2266640153
Screenshots/recordings
No response
Superset version
master / latest-dev
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
Hi @izissise! I'm Dosu and I’m helping the superset team.
TALISMAN (Flask-Talisman) is explicitly disabled by default in Superset's config.py on the latest master branch—TALISMAN_ENABLED = False
. The config still includes detailed TALISMAN_CONFIG and TALISMAN_DEV_CONFIG settings, but these only take effect if you enable TALISMAN yourself. This decision isn't explained in the theming PR you linked, as that PR doesn't address security settings.
The main reason for disabling TALISMAN by default is that flask-talisman is largely unmaintained, and maintainers consider it a potential long-term liability. There's ongoing discussion about replacing it with a better-maintained library or improving documentation for security headers. Disabling TALISMAN is also a common workaround for login issues, especially in non-HTTPS setups or with certain authentication flows like Okta OAuth. You can read more about these concerns and future plans in this discussion: GitHub Discussion #31764.
If you need to enforce security headers, you can either enable TALISMAN and customize its config, or set headers directly using HTTP_HEADERS or OVERRIDE_HTTP_HEADERS in your config. For more details on customizing security headers, see the Superset documentation and examples in config.py.
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other
Comment From: rusackas
I think we need more details and a relevant link in the PR description to keep this one open.