sha174n commented on code in PR #35190: URL: https://github.com/apache/superset/pull/35190#discussion_r2362467091
########## docs/docs/security/securing_superset.mdx: ########## @@ -0,0 +1,205 @@ +--- +title: Securing Your Superset Installation for Production +sidebar_position: 3 +--- + +> *This guide applies to Apache Superset version 4.0 and later.* + +The default Apache Superset configuration is optimized for ease of use and development, not for security. For any production deployment, it is **critical** that you review and apply the following security configurations to harden your instance, protect user data, and prevent unauthorized access. + +This guide provides a comprehensive checklist of essential security configurations and best practices. + +### **Critical Prerequisites: HTTPS/TLS Configuration** + +Running Superset without HTTPS (TLS) is not secure. Without it, all network traffic—including user credentials, session tokens, and sensitive data—is sent in cleartext and can be easily intercepted. + +* **Use a Reverse Proxy:** Your Superset instance should always be deployed behind a reverse proxy (e.g., Nginx, Traefik) or a load balancer (e.g., AWS ALB, Google Cloud Load Balancer) that is configured to handle HTTPS termination. +* **Enforce Modern TLS:** Configure your proxy to enforce TLS 1.2 or higher with strong, industry-standard cipher suites. +* **Implement HSTS:** Use the HTTP Strict Transport Security (HSTS) header to ensure browsers only connect to your Superset instance over HTTPS. This can be configured in your reverse proxy or within Superset's Talisman settings. + +> #### ⚠️ Warning: Never Run Superset on HTTP in Production +> +> Exposing Superset directly over HTTP is a critical security risk that exposes your entire instance to network interception attacks. Review Comment: Same, will be removed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
