mirror of https://github.com/apache/superset.git
feat: Adds a Content Security Policy (CSP) check for production environments (#21874)
This commit is contained in:
parent
b17ef18aae
commit
f4da74ce8d
|
@ -131,6 +131,28 @@ For example, the filters `client_id=4` and `client_id=5`, applied to a role,
|
||||||
will result in users of that role having `client_id=4` AND `client_id=5`
|
will result in users of that role having `client_id=4` AND `client_id=5`
|
||||||
added to their query, which can never be true.
|
added to their query, which can never be true.
|
||||||
|
|
||||||
|
### Content Security Policiy (CSP)
|
||||||
|
|
||||||
|
[Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is an added
|
||||||
|
layer of security that helps to detect and mitigate certain types of attacks, including
|
||||||
|
Cross-Site Scripting (XSS) and data injection attacks.
|
||||||
|
|
||||||
|
CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can
|
||||||
|
occur by specifying the domains that the browser should consider to be valid sources of executable scripts.
|
||||||
|
A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains,
|
||||||
|
ignoring all other scripts (including inline scripts and event-handling HTML attributes).
|
||||||
|
|
||||||
|
A policy is described using a series of policy directives, each of which describes the policy for
|
||||||
|
a certain resource type or policy area. You can check possible directives
|
||||||
|
[here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
|
||||||
|
|
||||||
|
It's extremely important to correclty configure a Content Security Policy when deploying Superset to
|
||||||
|
prevent many types of attacks. For that matter, Superset provides the ` TALISMAN_CONFIG` key in `config.py`
|
||||||
|
where admnistrators can define the policy. When running in production mode, Superset will check for the presence
|
||||||
|
of a policy and if it's not able to find one, it will issue a warning with the security risks. For environments
|
||||||
|
where CSP policies are defined outside of Superset using other software, administrators can disable
|
||||||
|
the warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
|
||||||
|
|
||||||
### Reporting Security Vulnerabilities
|
### Reporting Security Vulnerabilities
|
||||||
|
|
||||||
Apache Software Foundation takes a rigorous standpoint in annihilating the security issues in its
|
Apache Software Foundation takes a rigorous standpoint in annihilating the security issues in its
|
||||||
|
|
|
@ -1223,6 +1223,9 @@ PREFERRED_DATABASES: List[str] = [
|
||||||
# one here.
|
# one here.
|
||||||
TEST_DATABASE_CONNECTION_TIMEOUT = timedelta(seconds=30)
|
TEST_DATABASE_CONNECTION_TIMEOUT = timedelta(seconds=30)
|
||||||
|
|
||||||
|
# Enable/disable CSP warning
|
||||||
|
CONTENT_SECURITY_POLICY_WARNING = True
|
||||||
|
|
||||||
# Do you want Talisman enabled?
|
# Do you want Talisman enabled?
|
||||||
TALISMAN_ENABLED = False
|
TALISMAN_ENABLED = False
|
||||||
# If you want Talisman, how do you want it configured??
|
# If you want Talisman, how do you want it configured??
|
||||||
|
|
|
@ -575,8 +575,28 @@ class SupersetAppInitializer: # pylint: disable=too-many-public-methods
|
||||||
# Flask-Compress
|
# Flask-Compress
|
||||||
Compress(self.superset_app)
|
Compress(self.superset_app)
|
||||||
|
|
||||||
|
show_csp_warning = False
|
||||||
|
if (
|
||||||
|
self.config["CONTENT_SECURITY_POLICY_WARNING"]
|
||||||
|
and not self.superset_app.debug
|
||||||
|
):
|
||||||
if self.config["TALISMAN_ENABLED"]:
|
if self.config["TALISMAN_ENABLED"]:
|
||||||
talisman.init_app(self.superset_app, **self.config["TALISMAN_CONFIG"])
|
talisman.init_app(self.superset_app, **self.config["TALISMAN_CONFIG"])
|
||||||
|
if not self.config["TALISMAN_CONFIG"].get("content_security_policy"):
|
||||||
|
show_csp_warning = True
|
||||||
|
else:
|
||||||
|
show_csp_warning = True
|
||||||
|
|
||||||
|
if show_csp_warning:
|
||||||
|
logger.warning(
|
||||||
|
"We haven't found any Content Security Policy (CSP) defined in "
|
||||||
|
"the configurations. Please make sure to configure CSP using the "
|
||||||
|
"TALISMAN_CONFIG key or any other external software. Failing to "
|
||||||
|
"configure CSP have serious security implications. Check "
|
||||||
|
"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more "
|
||||||
|
"information. You can disable this warning using the "
|
||||||
|
"CONTENT_SECURITY_POLICY_WARNING key."
|
||||||
|
)
|
||||||
|
|
||||||
def configure_logging(self) -> None:
|
def configure_logging(self) -> None:
|
||||||
self.config["LOGGING_CONFIGURATOR"].configure_logging(
|
self.config["LOGGING_CONFIGURATOR"].configure_logging(
|
||||||
|
|
Loading…
Reference in New Issue