Superset has mature RBAC and deployment security controls, but production safety depends on explicit configuration. The project’s Docker Compose quickstart is not intended as a hardened production deployment.
¶ 1) Set and protect SECRET_KEY in production
Superset requires a unique SECRET_KEY and documents it as a production requirement.
Hardening controls:
- set
SUPERSET_SECRET_KEY to a strong random value per environment
- never reuse development keys in staging/production
- rotate keys through controlled maintenance windows with backup/restore tested
¶ 2) Enforce TLS and reverse-proxy security headers
Superset recommends running behind a reverse proxy and enabling HTTPS in production.
Baseline:
- terminate TLS with valid certificates and force HTTP to HTTPS redirects
- set strict proxy headers and disable direct exposure of gunicorn/container ports
- apply HSTS,
X-Content-Type-Options, and CSP through proxy policy
Superset’s security model is role-based; default roles (Admin, Alpha, Gamma, etc.) are intended to segment capabilities.
Access controls:
- restrict
Admin role to platform operators only
- grant SQL Lab/database access only where required
- review role grants periodically and remove stale permissions
¶ 4) Lock down database connectivity and SQL execution
Superset can connect to many data sources and execute SQL, which increases blast radius if broadly exposed.
Risk reduction:
- use read-only DB accounts for dashboards whenever possible
- segment database credentials per datasource/team
- disable or tightly control features that allow arbitrary SQL for non-privileged users
Superset docs explicitly note the Docker Compose setup is mainly for local development/evaluation.
Production policy:
- use dedicated production deployment architecture, not the local dev compose defaults
- externalize secrets/config via environment and secret stores
- patch Superset and its Python dependencies on a regular cadence
- Superset security documentation (RBAC model, security architecture): https://superset.apache.org/docs/security/
- Superset configuration docs (
SECRET_KEY and production settings): https://superset.apache.org/docs/configuration/configuring-superset/
- Superset Docker Compose note (local development/evaluation scope): https://superset.apache.org/docs/installation/docker-compose/
Any questions?
Feel free to contact us. Find all contact information on our contact page.