You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@superset.apache.org by ru...@apache.org on 2023/03/20 19:52:56 UTC

[superset] branch master updated: docs(security): note the need to set TALISMAN_ENABLED = True (#23431)

This is an automated email from the ASF dual-hosted git repository.

rusackas pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git


The following commit(s) were added to refs/heads/master by this push:
     new b511d2c624 docs(security): note the need to set TALISMAN_ENABLED = True (#23431)
b511d2c624 is described below

commit b511d2c62409fe96e0cc21404297a245e66793db
Author: Sam Firke <sf...@users.noreply.github.com>
AuthorDate: Mon Mar 20 15:52:47 2023 -0400

    docs(security): note the need to set TALISMAN_ENABLED = True (#23431)
---
 docs/docs/security.mdx | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/docs/docs/security.mdx b/docs/docs/security.mdx
index 0c792449fb..f8f151c2fe 100644
--- a/docs/docs/security.mdx
+++ b/docs/docs/security.mdx
@@ -147,11 +147,15 @@ a certain resource type or policy area. You can check possible directives
 [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
 
 It's extremely important to correctly configure a Content Security Policy when deploying Superset to
-prevent many types of attacks. For that matter, Superset provides the ` TALISMAN_CONFIG` key in `config.py`
-where administrators can define the policy. When running in production mode, Superset will check for the presence
-of a policy and if it's not able to find one, it will issue a warning with the security risks. For environments
+prevent many types of attacks. Superset provides two variables in `config.py` for deploying a CSP:
+
+- `TALISMAN_ENABLED` defaults to `False`; set this to `True` in order to implement a CSP
+- `TALISMAN_CONFIG` holds the actual the policy definition (*see example below*).
+
+When running in production mode, Superset will check at startup for the presence
+of a CSP.  If one is not found, it will issue a warning with the security risks. For environments
 where CSP policies are defined outside of Superset using other software, administrators can disable
-the warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
+this warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
 
 #### CSP Requirements