dosubot[bot] commented on issue #34637: URL: https://github.com/apache/superset/issues/34637#issuecomment-3174707759
<!-- Greeting --> Hi @izissise! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> TALISMAN (Flask-Talisman) is explicitly disabled by default in Superset's config.py on the latest master branch—`TALISMAN_ENABLED = False`. The config still includes detailed TALISMAN_CONFIG and TALISMAN_DEV_CONFIG settings, but these only take effect if you enable TALISMAN yourself. This decision isn't explained in the theming PR you linked, as that PR doesn't address security settings. The main reason for disabling TALISMAN by default is that flask-talisman is largely unmaintained, and maintainers consider it a potential long-term liability. There's ongoing discussion about replacing it with a better-maintained library or improving documentation for security headers. Disabling TALISMAN is also a common workaround for login issues, especially in non-HTTPS setups or with certain authentication flows like Okta OAuth. You can read more about these concerns and future plans in this discussion: [GitHub Discussion #31764](https://github.com/apache/superset/discussions/31764). If you need to enforce security headers, you can either enable TALISMAN and customize its config, or set headers directly using HTTP_HEADERS or OVERRIDE_HTTP_HEADERS in your config. For more details on customizing security headers, see the [Superset documentation](https://superset.apache.org/docs/configuration/networking-settings/#changing-flask-talisman-csp) and examples in config.py. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/31e9a499-e746-42f4-bcc4-70f812e7bbb1?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/31e9a499-e746-42f4-bcc4-70f812e7bbb1?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/31e9a499-e746-42f4-bcc4-70f812e7bbb1?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/31e9a499-e746-42f4-bcc4-70f812e7bbb1?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/31e9a499-e746-42f4-bcc4-70f812e7bbb1?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/31e9a499-e746-42f4-bcc4-70f812e7bbb1?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/31e9a499-e746-42f4-bcc4-70f812e7bbb1?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/34637) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
