From 390f2244467a0fae868fb86dd983a62d74a57a11 Mon Sep 17 00:00:00 2001 From: pierrejeambrun Date: Tue, 6 May 2025 14:04:49 +0200 Subject: [PATCH 1/2] Update run-behind-proxy doc for CSP --- airflow-core/docs/howto/run-behind-proxy.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/airflow-core/docs/howto/run-behind-proxy.rst b/airflow-core/docs/howto/run-behind-proxy.rst index 294823753a585..212f3bcb14553 100644 --- a/airflow-core/docs/howto/run-behind-proxy.rst +++ b/airflow-core/docs/howto/run-behind-proxy.rst @@ -51,6 +51,11 @@ To do so, you need to set the following setting in your ``airflow.cfg``:: } } +- Some parts of the UI are rendered inside iframes (Auth managers security links for instance), you need to make sure that you are not setting a restricted CSP for iframe rendering + such as ``frame-ancestors 'none'``. You can set the CSP header in your reverse proxy configuration, for example: + + add_header Content-Security-Policy "frame-ancestors 'self';"; + - Use ``--proxy-headers`` CLI flag to tell Uvicorn to respect these headers: ``airflow api-server --proxy-headers`` - If your proxy server is not on the same host (or in the same docker container) as Airflow, then you will need to From 73231e243eb227d1743ab59466e43cd437b21ba7 Mon Sep 17 00:00:00 2001 From: Kaxil Naik Date: Tue, 6 May 2025 18:10:38 +0530 Subject: [PATCH 2/2] Update airflow-core/docs/howto/run-behind-proxy.rst --- airflow-core/docs/howto/run-behind-proxy.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/airflow-core/docs/howto/run-behind-proxy.rst b/airflow-core/docs/howto/run-behind-proxy.rst index 212f3bcb14553..c9eb3295bd29c 100644 --- a/airflow-core/docs/howto/run-behind-proxy.rst +++ b/airflow-core/docs/howto/run-behind-proxy.rst @@ -52,7 +52,7 @@ To do so, you need to set the following setting in your ``airflow.cfg``:: } - Some parts of the UI are rendered inside iframes (Auth managers security links for instance), you need to make sure that you are not setting a restricted CSP for iframe rendering - such as ``frame-ancestors 'none'``. You can set the CSP header in your reverse proxy configuration, for example: + such as ``frame-ancestors 'none'``. You can set the CSP header in your reverse proxy configuration, for example:: add_header Content-Security-Policy "frame-ancestors 'self';";