GitHub user dosubot[bot] added a comment to the discussion: Requests to charts failing with 403 error for publically accessable url only
<!-- Answer --> This is almost certainly your **Azure Front Door WAF** blocking Superset's chart data API requests — not a Superset issue itself. The key evidence: the same pod works over VPN but fails on the public URL, meaning the WAF is pattern-matching on the request content before it reaches Superset. **Why this happens:** When Superset charts load, they make POST requests to endpoints like `/api/v1/chart/data` with JSON payloads that contain SQL-like patterns (e.g., `SELECT`, `WHERE`, `LIMIT` clauses). Azure Front Door's managed WAF rulesets (especially SQL injection detection rules) commonly flag these as malicious and return a 403 block page — exactly what you're seeing [[1]](https://github.com/apache/superset/discussions/40884). **How to fix it:** 1. **Check Azure Front Door WAF logs** — In the Azure portal, go to your Front Door → WAF policy → Monitoring/Logs. Look for blocked requests and identify which specific rule IDs are triggering (likely SQL injection rules like `942xxx` from the OWASP CRS ruleset). 2. **Exclude Superset API paths from offending WAF rules** — Once you identify the triggering rules, create exclusions for these paths: - `/api/v1/chart/data` - `/api/v1/sqllab/execute/` - `/api/v1/database/*/validate_sql/` You can either disable specific rules for these paths or switch matching rules from "Block" to "Log" mode. 3. **Alternative: Use a custom rule with lower priority** to explicitly allow requests to Superset API paths before the managed ruleset evaluates them. This same pattern has been reported by other Superset users with different WAFs (Signal-Sciences/Fastly), and the resolution was always adjusting WAF rules to exclude Superset's API endpoints from SQL injection inspection [[2]](https://github.com/apache/superset/issues/36072#issuecomment-4114107526). The reason it works over VPN is that those connections bypass the Azure Front Door WAF entirely and hit the pod directly (or through a different ingress path without WAF inspection). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=reply-with-mention&utm_term=apache%2Fsuperset).* --- Share context across your team and agents. Try [Dosu](https://dosu.dev?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=knowledge-infrastructure-tagline&utm_term=apache%2Fsuperset). [](https://app.dosu.dev/response-feedback?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=knowledge-infrastructure-feedback&utm_term=apache%2Fsuperset&message_id=8c0f55c2-59e1-4b61-9b8e-024b867541dc) [](https://github.dosu.com/apache/superset?utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=knowledge-infrastructure-learn-repo&utm_term=apache%2Fsuperset) [](https://app.dosu.dev/signup?referrer=openSource&source=github-footer&utm_source=github&utm_medium=bot-comment&utm_campaign=github-comment-footer-20260415&utm_content=knowledge-infrastructure-add-team&utm_term=apache%2Fsuperset) GitHub link: https://github.com/apache/superset/discussions/40886#discussioncomment-17232861 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
