Bug description

https://github.com/apache/superset/pull/31590/files#r2266640153

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

  • [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
  • [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
  • [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

Comment From: dosubot[bot]

Hi @izissise! I'm Dosu and I’m helping the superset team.

TALISMAN (Flask-Talisman) is explicitly disabled by default in Superset's config.py on the latest master branch—TALISMAN_ENABLED = False. The config still includes detailed TALISMAN_CONFIG and TALISMAN_DEV_CONFIG settings, but these only take effect if you enable TALISMAN yourself. This decision isn't explained in the theming PR you linked, as that PR doesn't address security settings.

The main reason for disabling TALISMAN by default is that flask-talisman is largely unmaintained, and maintainers consider it a potential long-term liability. There's ongoing discussion about replacing it with a better-maintained library or improving documentation for security headers. Disabling TALISMAN is also a common workaround for login issues, especially in non-HTTPS setups or with certain authentication flows like Okta OAuth. You can read more about these concerns and future plans in this discussion: GitHub Discussion #31764.

If you need to enforce security headers, you can either enable TALISMAN and customize its config, or set headers directly using HTTP_HEADERS or OVERRIDE_HTTP_HEADERS in your config. For more details on customizing security headers, see the Superset documentation and examples in config.py.

To reply, just mention @dosu.


How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

Comment From: rusackas

I think we need more details and a relevant link in the PR description to keep this one open.