985958118
commented
1 month ago Open 985958118 opened 1 month ago
985958118
commented
1 month ago 
eradman
commented
1 month ago There is a setting to enable CSRF
ENFORCE_CSRF = parse_boolean(os.environ.get("REDASH_ENFORCE_CSRF", "false"))Try adding this to your .env file.
This is not documented! This should be added to https://redash.io/help/open-source/admin-guide/env-vars-settings/
justinclift
commented
1 month ago @lucydodo Any interest in adding that? ^^^ :smile:
lucydodo
commented
1 month ago @justinclift Sure. I'll go home and add it to the documentation. :)
justinclift
commented
1 month ago @985958118 @eradman It's now on the website's environment variables list:
https://redash.io/help/open-source/admin-guide/env-vars-settings/
eradman
commented
1 month ago @985958118 did enabling CSRF solve your problem?
HTML:
Nginx:
server { listen 8080; servername ; location / { proxy_pass http://xxx:5000; more_set_headers "Access-Control-Allow-Origin: * "; more_set_headers "X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-src redash.io;"; more_set_headers "Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-src redash.io;"; more_set_headers "X-Frame-Options: xxx"; more_set_headers "Set-Cookie: $sent_http_set_cookie; HttpOnly; Secure; SameSite=None"; } }