Network and Security Settings

Liteset implementation

Liteset runs on Litestar/ASGI, so the Flask-CORS / flask-talisman / flask-wtf extensions are not active. Their configuration keys (ENABLE_CORS, CORS_OPTIONS, TALISMAN_ENABLED, TALISMAN_CONFIG, WTF_CSRF_*) are still read from superset_config.py and applied by Liteset's own middleware stack — built on Starlette's CORSMiddleware, TrustedHostMiddleware and a Litestar CSRF middleware. Configuration is identical; the underlying implementation is async.

CORS

The following keys in superset_config.py configure CORS:

ENABLE_CORS: must be True to enable CORS.
CORS_OPTIONS: a dict of CORS options. Liteset accepts the same dict shape as Flask-CORS — origins, supports_credentials, allow_headers, methods, expose_headers, max_age — and forwards them to Starlette's CORSMiddleware. See the Flask-CORS docs for option semantics.

HTTP headers

Apache Superset bundles flask-talisman to set security headers (CSP, HSTS, X-Frame-Options, etc.). Liteset implements the same behaviour through a Litestar middleware that consumes the TALISMAN_ENABLED and TALISMAN_CONFIG keys from superset_config.py — the configuration surface is unchanged.

HTML embedding of dashboards and charts

There are two ways to embed a dashboard: using the SDK or embedding a direct link. Note that in the latter case anyone with the link can access the dashboard.

Embedding a public direct link to a dashboard

This works by changing the content security policy (CSP) to allow specific domains to display Liteset content, then making a dashboard publicly accessible (i.e. bypassing authentication). The dashboard URL can then be added to an iframe in another website's HTML.

Changing the CSP

Add the entire TALISMAN_CONFIG block from superset/config.py to your superset_config.py and include a frame-ancestors clause:

TALISMAN_ENABLED = True
TALISMAN_CONFIG = {
    "content_security_policy": {
        # ...
        "frame-ancestors": ["*.my-domain.com", "*.another-domain.com"],
        # ...
    },
}

Restart Liteset for the change to take effect.

Making a dashboard public

Add the 'DASHBOARD_RBAC': True feature flag to superset_config.py.
Add the Public role to your dashboard as described here.

Embedding a public dashboard

<iframe
  width="600"
  height="400"
  seamless
  frameBorder="0"
  scrolling="no"
  src="https://liteset.my-domain.com/superset/dashboard/10/?standalone=1&height=400"
>
</iframe>

Embedding a chart

A chart's embed code can be generated from the chart's edit view: top-right ... → Share → Embed code.

Enabling embedding via the SDK

Click ... next to EDIT DASHBOARD on the top-right of the dashboard's overview page; the menu should include Embed dashboard.

To enable this entry, add the following to your .env:

SUPERSET_FEATURE_EMBEDDED_SUPERSET=true

CSRF settings

Apache Superset uses flask-wtf to manage CSRF; Liteset re-implements the same protection in an async middleware that reads the same WTF_CSRF_* keys.

To exempt endpoints from CSRF (for example, a custom auth postback endpoint), add them to WTF_CSRF_EXEMPT_LIST:

WTF_CSRF_EXEMPT_LIST = ["/auth/oauth-callback"]

The X-CSRFToken header used by the SPA frontend is identical to Apache Superset — no frontend changes required.

SSH tunneling

Turn on the feature flag.
- Set SSH_TUNNELING to True.
- For extra security you can override the SSHTunnelManager class in superset_config.py.
- SSH_TUNNEL_LOCAL_BIND_ADDRESS controls the host address where the tunnel will be accessible inside your VPC.
Create a database with the SSH tunnel enabled.
- With the feature flag on, the SSH tunnel toggle appears in the database connection dialog.
- Liteset supports two authentication modes (basic + private key); credentials come from your service provider.
Verify data flows.
- Once SSH tunneling is enabled, go to SQL Lab and run a query to verify data is flowing through the tunnel.

HTTP/2

Liteset's recommended deployment puts Uvicorn behind a reverse proxy (nginx, Traefik, Caddy) that terminates TLS and speaks HTTP/2 upstream. With this setup HTTP/2 is available out of the box — no Liteset-side configuration needed. The SUPERSET_WEBSERVER_DOMAINS / domain-sharding workaround that existed in older Superset versions is not used.

Middleware

Liteset reads the ADDITIONAL_MIDDLEWARE key from superset_config.py to install custom middleware. Two formats are accepted:

Litestar / ASGI middleware — the recommended form. A list of classes or factories conforming to the Litestar middleware protocol. These are added to Litestar(middleware=[...]) in app-factory order.
WSGI middleware (compatibility shim) — a list of WSGI-style middlewares. They are wrapped in WsgiToAsgi and run before request reaches the Litestar router. Use this only when porting an existing Apache Superset middleware that you don't want to rewrite.

For example, to map HTTP_X_PROXY_REMOTE_USER from a reverse proxy onto the request user (the equivalent of the Apache Superset Flask snippet that copied the header into Gunicorn's REMOTE_USER):

# superset_config.py
from litestar.middleware import DefineMiddleware
from superset.middleware.remote_user import RemoteUserHeaderMiddleware

ADDITIONAL_MIDDLEWARE = [
    DefineMiddleware(RemoteUserHeaderMiddleware, header="x-proxy-remote-user"),
]

If you're running behind nginx/HAProxy and only need correct scheme/host/IP, you don't need a custom middleware — pass --proxy-headers --forwarded-allow-ips '*' to Uvicorn instead.

CORS​

HTTP headers​

HTML embedding of dashboards and charts​

Embedding a public direct link to a dashboard​

Changing the CSP​

Making a dashboard public​

Embedding a public dashboard​

Embedding a chart​

Enabling embedding via the SDK​

CSRF settings​

SSH tunneling​

HTTP/2​

Middleware​