GitHub user dosubot[bot] added a comment to the discussion: Unable to embed dashboard for Superset 5.0.0. Csrf token issue maybe
<!-- Answer --> Yes, something did change in Superset 5.0.0: CSRF protection is now enforced more strictly on POST API endpoints, including /api/v1/security/guest_token/, which is used for embedding. In 4.x, embedding often worked with WTF_CSRF_ENABLED=True because the CSRF check was less strict or not applied to that endpoint by default. In 5.0.0, unless you explicitly disable CSRF globally (WTF_CSRF_ENABLED=False) or add the guest_token endpoint to WTF_CSRF_EXEMPT_LIST, POST requests to generate guest tokens will fail due to missing or invalid CSRF tokens—breaking embedding flows from external UIs. This is now a documented workaround for embedding in 5.x [see #33702](https://github.com/apache/superset/issues/33702) [see #32869](https://github.com/apache/superset/issues/32869). If you want to keep CSRF protection enabled for the rest of your app, you can instead add the guest token endpoint to the exemption list in your config: ```python WTF_CSRF_EXEMPT_LIST = [ "superset.security.api.guest_token", # ...other endpoints ] ``` But by default, disabling CSRF is the recommended way to get embedding working in 5.0.0. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/00b26c79-6a41-4f6b-a98d-972c8cfc945c?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/00b26c79-6a41-4f6b-a98d-972c8cfc945c?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/00b26c79-6a41-4f6b-a98d-972c8cfc945c?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/00b26c79-6a41-4f6b-a98d-972c8cfc945c?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/00b26c79-6a41-4f6b-a98d-972c8cfc945c?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/00b26c79-6a41-4f6b-a98d-972c8cfc945c?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/00b26c79-6a41-4f6b-a98d-972c8cfc945c?feedback_type=other)</sup> [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/33886) GitHub link: https://github.com/apache/superset/discussions/33886#discussioncomment-13564553 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
