Securing Apache Superset with HTTPS

Semini Perera

Deploying Apache Superset with HTTPS

Hi Folks! 👋

Today I'll walk you through how I deployed Apache Superset and embedded it securely into a React frontend with a Quarkus backend.

Along the way, I'll share the issues I faced (like failed HTTPS, static asset errors) and the final working solution. Hopefully this saves you hours of frustration!

Why This Guide?

Out of the box, Superset runs only on HTTP (port 8088). If you try to access it at:

http://yourdomain.com:8088/login/

…it works fine. But the moment you try https://yourdomain.com:8088, it breaks. Superset itself doesn't serve HTTPS, so you'll need a reverse proxy in front of it.

I initially tried to host Superset under the same domain + path (subpathing) as my frontend app (e.g. /superset), but it led to endless problems:

  • Mixed content errors in browser
  • Superset static files (/static/assets/...) not found (see image below)

Superset Static Asset Error
Superset Static Asset Error

After a lot of trial and error, I realized the simplest & cleanest approach is:

Recommended Approach
  • Deploy Superset under a separate CloudFront domain
  • Use NGINX reverse proxy to handle HTTPS and pass requests to Superset
  • Configure Superset with proper feature flags & cookie settings

Superset config.py Settings

Here are the key settings that worked for me:

ENABLE_PROXY_FIX = True
PREFERRED_URL_SCHEME = "https"
SUPERSET_WEBSERVER_BASEURL = "https://yourdomain.com"

# Needed if embedding Superset dashboards in another domain/subdomain
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = "None"

# Optional but helps with reverse proxy setups
PROXY_FIX_CONFIG = {"x_for": 1, "x_proto": 1, "x_host": 1, "x_port": 1}
⚠️ Important Note

Don't try setting APPLICATION_ROOT = /superset – it caused static asset issues for me. Better to keep Superset at /.

NGINX Reverse Proxy Config

Here's the working nginx.conf block I used:

http{

    upstream superset {
        server 127.0.0.1:8088;
    }

    server {
        listen 80;
        server_name _;
        client_max_body_size 200M;

        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_pass http://superset;
                proxy_set_header X-Forwarded-Proto https;
                proxy_set_header X-Forwarded-Port  443;
                proxy_set_header X-Forwarded-Host  $host;

                proxy_redirect http:// https://;
        }

    }

}

This ensures:

  • All requests go through HTTPS
  • Superset thinks it's running on HTTPS
  • No more mixed-content errors when embedding dashboards

Issues Faced With Same Domain Pathing

I did try to mount Superset under the same domain with subpathing (e.g., https://your-domain.com/superset).

Unfortunately, Superset doesn't play nicely with path prefixes. I got errors like:

Blocked loading mixed active content
"http://your-domain.com/login/?token=..."

And also:

Blocked loading mixed active content
"http://your-domain.com/analytics/static/appbuilder/css/select2/select2.min.css"

So my final advice: don't fight it like I tried, just use a separate domain/subdomain for Superset.

But if you do want to keep trying, there is a link for you to try:

https://github.com/KomootArchive/superset-reverse-nginx-example/blob/master/nginx/nginx.conf

Working Approach - Separate Domain/Subdomain for Superset

Once Superset was up on a dedicated CloudFront domain, embedding into my React app was easy:

  • Generate an embed token in the Quarkus backend
  • Pass it securely to the React frontend
  • Load the Superset dashboard in an <iframe>

For example:

<iframe
  src={`https://your-domain.com/superset/dashboard/11?standalone=3&show_filters=0&token=${embedToken}`}
  width="100%"
  height="800"
  frameBorder="0"
/>

And that's it 🎉 — fully working, secure, embedded Superset dashboards!

Clean HTTPS Setup (No Subpath)

When I switched to a clean domain for Superset (no subpathing), I ran into another issue:

  • Redirect loops → Superset redirected HTTPS requests down to HTTP.

This was solved by adjusting the Superset config.py:

ENABLE_PROXY_FIX = True
PREFERRED_URL_SCHEME = "https"
SUPERSET_WEBSERVER_BASEURL = "https://your-domain.com"

Once this was in place, HTTPS loaded correctly.

Key Takeaways

💡 Summary
  1. Superset doesn't support HTTPS natively → use NGINX or another reverse proxy.
  2. Hosting Superset under a different path on the same domain = pain.
  3. The cleanest way is a dedicated subdomain + reverse proxy.
  4. Remember to configure Superset cookies & proxy headers for iframe embedding.

This approach has been rock-solid in production and makes embedding Superset dashboards a breeze. Hope this saves you the debugging time I went through!

Let’s Work Together


We believe understanding you and your business will enable us to provide you the best solutions.


Do you think we could be a good fit?
Email us at info@tetranyde.com to set up a free, no-obligation discovery call. Let’s have a chat to see how we can support you

No 342,
High level,
Gamsabha Junction,
Nugegoda,
Sri Lanka

© 2021 Tetranyde Solutions Pvt Ltd | Digitally crafted with by Team Tetranyde