Bug description
https://github.com/apache/superset/pull/31590/files#r2266640153
Screenshots/recordings
No response
Superset version
master / latest-dev
Python version
3.9
Node version
16
Browser
Chrome
Additional context
No response
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
Hi @izissise! I'm Dosu and I’m helping the superset team.
TALISMAN (Flask-Talisman) is explicitly disabled by default in Superset's config.py on the latest master branch—TALISMAN_ENABLED = False. The config still includes detailed TALISMAN_CONFIG and TALISMAN_DEV_CONFIG settings, but these only take effect if you enable TALISMAN yourself. This decision isn't explained in the theming PR you linked, as that PR doesn't address security settings.
The main reason for disabling TALISMAN by default is that flask-talisman is largely unmaintained, and maintainers consider it a potential long-term liability. There's ongoing discussion about replacing it with a better-maintained library or improving documentation for security headers. Disabling TALISMAN is also a common workaround for login issues, especially in non-HTTPS setups or with certain authentication flows like Okta OAuth. You can read more about these concerns and future plans in this discussion: GitHub Discussion #31764.
If you need to enforce security headers, you can either enable TALISMAN and customize its config, or set headers directly using HTTP_HEADERS or OVERRIDE_HTTP_HEADERS in your config. For more details on customizing security headers, see the Superset documentation and examples in config.py.
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
Comment From: rusackas
I think we need more details and a relevant link in the PR description to keep this one open.
Comment From: izissise
Contrary to what's the bot saying, I was actually hit we a login issue because TALISMAN was disabled, and couldn't enable it easily because it force disabled in the conf -> https://github.com/apache/superset/blob/master/superset/config.py#L1822
This is the same line I linked in the PR (just github cannot load it up because it is too big).
Here how I think you can reproduce the issue I had: - first boot superset using the provided docker-compose.yml - connect with admin/admin - disable CSRF and docker-compose stop/start - force logout by clearing cookie in browser - login now fails with an exception in the log on this line https://github.com/apache/superset/blob/57d0e78d405b57a4d1e2c4b3486ce57916b962c9/superset/utils/log.py#L200 - activate TALISMAN - now you can log in
there is a stack overfow with a similar issue https://stackoverflow.com/questions/77258840/successful-installation-of-superset-3-0-0-on-ubuntu-22-04-3-but-failed-to-log
so this issues is two fold: - the line linked in the conf should be removed as it is cleary a left over of a dev conf - CSRF = false + TALISMAN = false should throw an exception on login
Comment From: amaannawab923
@rusackas I think it came by mistake as part of pr https://github.com/apache/superset/pull/31590 where https://cdn.document360.io was being included is config.py and talisman_enabled was force set to false regardless of environment variable
Comment From: Prasad-JB
Hi, I’m interested in resolving the TALISMAN configuration issue in superset_config.py. I am familiar with Python config files and security settings and would love to help. Please assign this issue to me if available!
Comment From: rusackas
It looks like TALISMAN_ENABLED got set to false in this beast of a PR. @mistercrunch may have context as to whether or not that was an intended change. @sadpandajoe I wonder if we should re-enable it and cherry that into 6.0?
Comment From: mistercrunch
Ooops my bad -> https://github.com/apache/superset/pull/34909