GitHub user dosubot[bot] added a comment to the discussion: Deploying Apache superset (Version : 2.0.0) frontend and backend separately
<!-- Answer --> Your approach—configuring the frontend to target backend API endpoints at a gateway URL with bearer tokens, while serving the frontend unauthenticated from a different domain—can work technically, but there are important caveats and risks. Superset's frontend client (SupersetClient) is highly configurable: you can set the backend API URL, add custom headers (including bearer tokens), and enable CORS mode for cross-origin requests if the backend is configured to allow it. This means you can direct API calls from the frontend to a protected backend behind your gateway, as long as you set ENABLE_CORS = True and configure CORS_OPTIONS to allow requests from your frontend domain [[code reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset-frontend/packages/superset-ui-core/src/connection/README.md)]. However, static assets (like `/static`) are not managed by the frontend client and must be served directly by your gateway or web server without authentication. The frontend does not inject tokens for static asset requests, so your gateway must allow unauthenticated access to these routes for the UI to work. Trying to inject tokens or rewrite static asset URLs in the frontend is not supported and will likely break features or introduce security issues [[code reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py)]. This deployment pattern is not officially documented or recommended in Superset v2.0.0. While it can be made to work with careful configuration, you may encounter edge cases or regressions, especially with authentication flows and embedded features. For long-term stability, the best practice is to configure your gateway to allow unauthenticated access to static assets and only protect API endpoints, or to deploy Superset on a dedicated host or DNS rule. If you proceed, make sure to review your CORS, static asset, and authentication configurations carefully to avoid exposing sensitive endpoints or breaking the UI. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/a2cc9311-c694-4a13-80fd-196fba4b3455?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/a2cc9311-c694-4a13-80fd-196fba4b3455?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/a2cc9311-c694-4a13-80fd-196fba4b3455?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/a2cc9311-c694-4a13-80fd-196fba4b3455?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/a2cc9311-c694-4a13-80fd-196fba4b3455?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/a2cc9311-c694-4a13-80fd-196fba4b3455?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/a2cc9311-c694-4a13-80fd-196fba4b3455?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35055) GitHub link: https://github.com/apache/superset/discussions/35055#discussioncomment-14340489 ---- This is an automatically sent email for notifications@superset.apache.org. To unsubscribe, please send an email to: notifications-unsubscr...@superset.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
