docs/versioned_docs/version-6.0.0/configuration/networking-settings.mdx - superset - Git at Google

 ---
 title: Network and Security Settings
 sidebar_position: 7
 version: 1
 ---

 # Network and Security Settings

 ## CORS


 :::note
 In Superset versions prior to `5.x` you have to install to install `flask-cors` with `pip install flask-cors` to enable CORS support.
 :::


 The following keys in `superset_config.py` can be specified to configure CORS:

 - `ENABLE_CORS`: Must be set to `True` in order to enable CORS
 - `CORS_OPTIONS`: options passed to Flask-CORS
   ([documentation](https://flask-cors.readthedocs.io/en/latest/api.html#extension))

 ## HTTP headers

 Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/)
 Self-described as a small Flask extension that handles setting HTTP headers that can help
 protect against a few common web application security issues.

 ## HTML Embedding of Dashboards and Charts

 There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard.

 ### Embedding a Public Direct Link to a Dashboard

 This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domains to display Superset content. Then a dashboard can be made publicly accessible, i.e. **bypassing authentication**. Once made public, the dashboard's URL can be added to an iframe in another website's HTML code.

 #### Changing flask-talisman CSP

 Add to `superset_config.py` the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section:

 ```python
 TALISMAN_ENABLED = True
 TALISMAN_CONFIG = {
     "content_security_policy": {
     ...
  "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"],
     ...
 ```

 Restart Superset for this configuration change to take effect.

 #### Making a Dashboard Public

 1. Add the `'DASHBOARD_RBAC': True` [Feature Flag](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md) to `superset_config.py`
 2. Add the `Public` role to your dashboard as described [here](https://superset.apache.org/docs/using-superset/creating-your-first-dashboard/#manage-access-to-dashboards)

 #### Embedding a Public Dashboard

 Now anybody can directly access the dashboard's URL. You can embed it in an iframe like so:

 ```html
 <iframe
   width="600"
   height="400"
   seamless
   frameBorder="0"
   scrolling="no"
   src="https://superset.my-domain.com/superset/dashboard/10/?standalone=1&height=400"
 >
 </iframe>
 ```

 #### Embedding a Chart

 A chart's embed code can be generated by going to a chart's edit view and then clicking at the top right on `...` > `Share` > `Embed code`

 ### Enabling Embedding via the SDK

 Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard".

 To enable this entry, add the following line to the `.env` file:

 ```text
 SUPERSET_FEATURE_EMBEDDED_SUPERSET=true
 ```

 ## CSRF settings

 Similarly, [flask-wtf](https://flask-wtf.readthedocs.io/en/0.15.x/config/) is used to manage
 some CSRF configurations. If you need to exempt endpoints from CSRF (e.g. if you are
 running a custom auth postback endpoint), you can add the endpoints to `WTF_CSRF_EXEMPT_LIST`:

 ## SSH Tunneling

 1. Turn on feature flag
     - Change [`SSH_TUNNELING`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L489) to `True`
     - If you want to add more security when establishing the tunnel we allow users to overwrite the `SSHTunnelManager` class [here](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L507)
     - You can also set the [`SSH_TUNNEL_LOCAL_BIND_ADDRESS`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L508) this the host address where the tunnel will be accessible on your VPC

 2. Create database w/ ssh tunnel enabled
     - With the feature flag enabled you should now see ssh tunnel toggle.
     - Click the toggle to enable SSH tunneling and add your credentials accordingly.
         - Superset allows for two different types of authentication (Basic + Private Key). These credentials should come from your service provider.

 3. Verify data is flowing
     - Once SSH tunneling has been enabled, go to SQL Lab and write a query to verify data is properly flowing.

 ## Domain Sharding

 :::note
 Domain Sharding is deprecated as of Superset 5.0.0, and will be removed in Superset 6.0.0. Please Enable HTTP2 to keep more open connections per domain.
 :::

 Chrome allows up to 6 open connections per domain at a time. When there are more than 6 slices in
 dashboard, a lot of time fetch requests are queued up and wait for next available socket.
 [PR 5039](https://github.com/apache/superset/pull/5039) adds domain sharding to Superset,
 and this feature will be enabled by configuration only (by default Superset doesn’t allow
 cross-domain request).

 Add the following setting in your `superset_config.py` file:

 - `SUPERSET_WEBSERVER_DOMAINS`: list of allowed hostnames for domain sharding feature.

 Please create your domain shards as subdomains of your main domain for authorization to
 work properly on new domains. For Example:

 - `SUPERSET_WEBSERVER_DOMAINS=['superset-1.mydomain.com','superset-2.mydomain.com','superset-3.mydomain.com','superset-4.mydomain.com']`

 or add the following setting in your `superset_config.py` file if domain shards are not subdomains of main domain.

 - `SESSION_COOKIE_DOMAIN = '.mydomain.com'`

 ## Middleware

 Superset allows you to add your own middleware. To add your own middleware, update the
 `ADDITIONAL_MIDDLEWARE` key in your `superset_config.py`. `ADDITIONAL_MIDDLEWARE` should be a list
 of your additional middleware classes.

 For example, to use `AUTH_REMOTE_USER` from behind a proxy server like nginx, you have to add a
 simple middleware class to add the value of `HTTP_X_PROXY_REMOTE_USER` (or any other custom header
 from the proxy) to Gunicorn’s `REMOTE_USER` environment variable.
	---
	title: Network and Security Settings
	sidebar_position: 7
	version: 1
	---

	# Network and Security Settings

	## CORS


	:::note
	In Superset versions prior to `5.x` you have to install to install `flask-cors` with `pip install flask-cors` to enable CORS support.
	:::


	The following keys in `superset_config.py` can be specified to configure CORS:

	- `ENABLE_CORS`: Must be set to `True` in order to enable CORS
	- `CORS_OPTIONS`: options passed to Flask-CORS
	([documentation](https://flask-cors.readthedocs.io/en/latest/api.html#extension))

	## HTTP headers

	Note that Superset bundles [flask-talisman](https://pypi.org/project/talisman/)
	Self-described as a small Flask extension that handles setting HTTP headers that can help
	protect against a few common web application security issues.

	## HTML Embedding of Dashboards and Charts

	There are two ways to embed a dashboard: Using the [SDK](https://www.npmjs.com/package/@superset-ui/embedded-sdk) or embedding a direct link. Note that in the latter case everybody who knows the link is able to access the dashboard.

	### Embedding a Public Direct Link to a Dashboard

	This works by first changing the content security policy (CSP) of [flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman) to allow for certain domains to display Superset content. Then a dashboard can be made publicly accessible, i.e. bypassing authentication. Once made public, the dashboard's URL can be added to an iframe in another website's HTML code.

	#### Changing flask-talisman CSP

	Add to `superset_config.py` the entire `TALISMAN_CONFIG` section from `config.py` and include a `frame-ancestors` section:

	```python
	TALISMAN_ENABLED = True
	TALISMAN_CONFIG = {
	"content_security_policy": {
	...
	"frame-ancestors": [".my-domain.com", ".another-domain.com"],
	...
	```

	Restart Superset for this configuration change to take effect.

	#### Making a Dashboard Public

	1. Add the `'DASHBOARD_RBAC': True` [Feature Flag](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md) to `superset_config.py`
	2. Add the `Public` role to your dashboard as described [here](https://superset.apache.org/docs/using-superset/creating-your-first-dashboard/#manage-access-to-dashboards)

	#### Embedding a Public Dashboard

	Now anybody can directly access the dashboard's URL. You can embed it in an iframe like so:

	```html
	<iframe
	width="600"
	height="400"
	seamless
	frameBorder="0"
	scrolling="no"
	src="https://superset.my-domain.com/superset/dashboard/10/?standalone=1&height=400"
	>
	</iframe>
	```

	#### Embedding a Chart

	A chart's embed code can be generated by going to a chart's edit view and then clicking at the top right on `...` > `Share` > `Embed code`

	### Enabling Embedding via the SDK

	Clicking on `...` next to `EDIT DASHBOARD` on the top right of the dashboard's overview page should yield a drop-down menu including the entry "Embed dashboard".

	To enable this entry, add the following line to the `.env` file:

	```text
	SUPERSET_FEATURE_EMBEDDED_SUPERSET=true
	```

	## CSRF settings

	Similarly, [flask-wtf](https://flask-wtf.readthedocs.io/en/0.15.x/config/) is used to manage
	some CSRF configurations. If you need to exempt endpoints from CSRF (e.g. if you are
	running a custom auth postback endpoint), you can add the endpoints to `WTF_CSRF_EXEMPT_LIST`:

	## SSH Tunneling

	1. Turn on feature flag
	- Change [`SSH_TUNNELING`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L489) to `True`
	- If you want to add more security when establishing the tunnel we allow users to overwrite the `SSHTunnelManager` class [here](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L507)
	- You can also set the [`SSH_TUNNEL_LOCAL_BIND_ADDRESS`](https://github.com/apache/superset/blob/eb8386e3f0647df6d1bbde8b42073850796cc16f/superset/config.py#L508) this the host address where the tunnel will be accessible on your VPC

	2. Create database w/ ssh tunnel enabled
	- With the feature flag enabled you should now see ssh tunnel toggle.
	- Click the toggle to enable SSH tunneling and add your credentials accordingly.
	- Superset allows for two different types of authentication (Basic + Private Key). These credentials should come from your service provider.

	3. Verify data is flowing
	- Once SSH tunneling has been enabled, go to SQL Lab and write a query to verify data is properly flowing.

	## Domain Sharding

	:::note
	Domain Sharding is deprecated as of Superset 5.0.0, and will be removed in Superset 6.0.0. Please Enable HTTP2 to keep more open connections per domain.
	:::

	Chrome allows up to 6 open connections per domain at a time. When there are more than 6 slices in
	dashboard, a lot of time fetch requests are queued up and wait for next available socket.
	[PR 5039](https://github.com/apache/superset/pull/5039) adds domain sharding to Superset,
	and this feature will be enabled by configuration only (by default Superset doesn’t allow
	cross-domain request).

	Add the following setting in your `superset_config.py` file:

	- `SUPERSET_WEBSERVER_DOMAINS`: list of allowed hostnames for domain sharding feature.

	Please create your domain shards as subdomains of your main domain for authorization to
	work properly on new domains. For Example:

	- `SUPERSET_WEBSERVER_DOMAINS=['superset-1.mydomain.com','superset-2.mydomain.com','superset-3.mydomain.com','superset-4.mydomain.com']`

	or add the following setting in your `superset_config.py` file if domain shards are not subdomains of main domain.

	- `SESSION_COOKIE_DOMAIN = '.mydomain.com'`

	## Middleware

	Superset allows you to add your own middleware. To add your own middleware, update the
	`ADDITIONAL_MIDDLEWARE` key in your `superset_config.py`. `ADDITIONAL_MIDDLEWARE` should be a list
	of your additional middleware classes.

	For example, to use `AUTH_REMOTE_USER` from behind a proxy server like nginx, you have to add a
	simple middleware class to add the value of `HTTP_X_PROXY_REMOTE_USER` (or any other custom header
	from the proxy) to Gunicorn’s `REMOTE_USER` environment variable.