GitHub user dosubot[bot] added a comment to the discussion: Deploying Apache superset (Version : 2.0.0) frontend and backend separately
<!-- Greeting --> Hi @KunfuPanda24! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> Deploying Superset v2.0.0 with the frontend and backend separately behind a gateway is not straightforward or officially supported. The frontend expects to fetch APIs and static files relative to paths injected by the backend at runtime, not via externally provided configs. While the SupersetClient library allows some configuration of backend URLs and headers, the overall architecture assumes a monolithic deployment model, and static asset routes like `/static` are not managed by the frontend client—they must be served directly by the gateway or web server without authentication barriers for the UI to work properly [[code reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/packages/superset-ui-core/src/connection/SupersetClientClass.ts)]. Trying to update hardcoded frontend routes or inject bearer tokens for static assets is risky and likely to break features, especially authentication and asset delivery. This approach can introduce major security vulnerabilities, such as exposing tokens in client-side code and making maintenance difficult [[discussion](https://github.com/apache/superset/discussions/31570)]. Best practice is to configure your gateway or reverse proxy to allow unauthenticated access to static assets (like `/static`) while enforcing authentication only for API endpoints. If your gateway cannot do this, consider deploying Superset on a dedicated DNS/host rule rather than a subpath, which avoids many routing and asset issues [[discussion](https://github.com/apache/superset/discussions/31570)]. For robust subpath support, upgrading to Superset 6.0+ is recommended, as earlier versions have known bugs and limitations with this deployment pattern [[issue](https://github.com/apache/superset/issues/34896)]. In summary: modifying frontend code for bearer tokens and gateway URLs is not recommended. Focus on proxy/gateway configuration to serve static assets correctly and avoid authentication on those routes. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/3ac7787b-2b99-40ce-a618-8afe0d6b076c?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/3ac7787b-2b99-40ce-a618-8afe0d6b076c?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/3ac7787b-2b99-40ce-a618-8afe0d6b076c?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/3ac7787b-2b99-40ce-a618-8afe0d6b076c?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/3ac7787b-2b99-40ce-a618-8afe0d6b076c?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/3ac7787b-2b99-40ce-a618-8afe0d6b076c?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/3ac7787b-2b99-40ce-a618-8afe0d6b076c?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35055) GitHub link: https://github.com/apache/superset/discussions/35055#discussioncomment-14339773 ---- This is an automatically sent email for notifications@superset.apache.org. To unsubscribe, please send an email to: notifications-unsubscr...@superset.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
