Kash-ish15 commented on issue #37364: URL: https://github.com/apache/superset/issues/37364#issuecomment-3785766985
Hi @ypandey-fluidata, thanks for sharing the detailed context and code snippet. Just to clarify expectations and scope: Am I correct in understanding that the primary concern here is frontend code visibility (via browser dev tools) when embedding dashboards using the Superset Embedded SDK, rather than an actual vulnerability in Superset itself? From a security-model perspective, is the expectation that all sensitive logic (auth, RLS, secrets) must live entirely in the backend that issues the guest token, and that frontend JS visibility is considered acceptable as long as the guest token is short-lived and scoped? Is there any recommended or planned approach in Apache Superset to further abstract or harden embedded usage for low-code platforms (e.g., guidance, docs, or helper patterns), or should this be treated primarily as a documentation / best-practices question? Happy to adjust understanding based on maintainer guidance. Thanks! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
