rusackas commented on code in PR #23537:
URL: https://github.com/apache/superset/pull/23537#discussion_r1159019374
##########
docs/docs/security.mdx:
##########
@@ -194,6 +196,25 @@ TALISMAN_CONFIG = {
}
```
+#### Other Talisman security considerations
+
+Setting `TALISMAN_ENABLED = True` will invoke Talisman's protection with its
default arguments,
+of which `content_security_policy` is only one. Those can be found in the
+[Talisman documentation](https://pypi.org/project/flask-talisman/) under
*Options*.
+These generally improve security, but administrators should be aware of their
existence.
+
+In particular, the default option of `force_https = True` may break Superset's
Alerts & Reports
+if workers are configured to access charts via a `WEBDRIVER_BASEURL` beginning
+with `http://`. As long as a Superset deployment enforces https upstream,
e.g.,
+through a loader balancer or application gateway, it should be acceptable to
set this
Review Comment:
```suggestion
with `http://`. As long as a Superset deployment enforces https upstream,
e.g.,
through a loader balancer or application gateway, it should be acceptable to
set this
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
