From b511d2c62409fe96e0cc21404297a245e66793db Mon Sep 17 00:00:00 2001 From: Sam Firke Date: Mon, 20 Mar 2023 15:52:47 -0400 Subject: [PATCH] docs(security): note the need to set TALISMAN_ENABLED = True (#23431) --- docs/docs/security.mdx | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/docs/security.mdx b/docs/docs/security.mdx index 0c792449f..f8f151c2f 100644 --- a/docs/docs/security.mdx +++ b/docs/docs/security.mdx @@ -147,11 +147,15 @@ a certain resource type or policy area. You can check possible directives [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). It's extremely important to correctly configure a Content Security Policy when deploying Superset to -prevent many types of attacks. For that matter, Superset provides the ` TALISMAN_CONFIG` key in `config.py` -where administrators can define the policy. When running in production mode, Superset will check for the presence -of a policy and if it's not able to find one, it will issue a warning with the security risks. For environments +prevent many types of attacks. Superset provides two variables in `config.py` for deploying a CSP: + +- `TALISMAN_ENABLED` defaults to `False`; set this to `True` in order to implement a CSP +- `TALISMAN_CONFIG` holds the actual the policy definition (*see example below*). + +When running in production mode, Superset will check at startup for the presence +of a CSP. If one is not found, it will issue a warning with the security risks. For environments where CSP policies are defined outside of Superset using other software, administrators can disable -the warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`. +this warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`. #### CSP Requirements