Disabling flask-talisman by default #7535

mistercrunch · 2019-05-17T04:16:46Z

SUMMARY

flask-talisman was enabled recently and while it may be virtuous in some
cases, it seems to break things out of the box.

Locally and in dev mode, upon my first redirect it sends to HTTPS and
things it crashes.

I think it should be opt-in, maybe we can recommend turning this on in
production in the docs?

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

flask-talisman was enabled recently and while it may be virtuous in some cases, it seems to break things out of the box. Locally and in dev mode, upon my first redirect it sends to HTTPS and things it crashes. I think it should be opt-in, maybe we can recommend turning this on in production in the docs?

john-bodley · 2019-05-17T16:53:19Z

@mistercrunch is this in development or production? If you're in development then setting FLASK_ENV=development enables the Flask debug mode and thus ensures that it uses HTTP rather than HTTPS.

lrosenman · 2019-05-17T17:15:49Z

@john-bodley I was the person on Slack that @mistercrunch helped. With talisman defaulting to ON and trying to set up a production setup, and zero hints on how to do the TLS certificates, I pulled my hair out all day yesterday.

Until/unless there is documentation on how to appease talisman's cert requirements, etc, I'd vote strongly for it being OFF by default, and strictly OPT-IN.

lrosenman · 2019-05-17T17:19:48Z

I also have concerns about making certificates for a Docker container that will be deployed multiple times on differing hosts, and no easy way to inject the certificates at build time.

mistercrunch · 2019-05-17T20:46:19Z

Pretty sure I tested and got the same issue with FLASK_ENV=development

flask-talisman was enabled recently and while it may be virtuous in some cases, it seems to break things out of the box. Locally and in dev mode, upon my first redirect it sends to HTTPS and things it crashes. I think it should be opt-in, maybe we can recommend turning this on in production in the docs? (cherry picked from commit 1fdc96a)

flask-talisman was enabled recently and while it may be virtuous in some cases, it seems to break things out of the box. Locally and in dev mode, upon my first redirect it sends to HTTPS and things it crashes. I think it should be opt-in, maybe we can recommend turning this on in production in the docs? (cherry picked from commit 42b28ff)

pull-request-size bot added the size/XS label May 17, 2019

john-bodley approved these changes May 18, 2019

View reviewed changes

mistercrunch merged commit 1fdc96a into apache:master May 20, 2019

mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.34.0 labels Feb 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disabling flask-talisman by default #7535

Disabling flask-talisman by default #7535

mistercrunch commented May 17, 2019

john-bodley commented May 17, 2019 •

edited

Loading

lrosenman commented May 17, 2019

lrosenman commented May 17, 2019

mistercrunch commented May 17, 2019

Disabling flask-talisman by default #7535

Disabling flask-talisman by default #7535

Conversation

mistercrunch commented May 17, 2019

CATEGORY

SUMMARY

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

john-bodley commented May 17, 2019 • edited Loading

lrosenman commented May 17, 2019

lrosenman commented May 17, 2019

mistercrunch commented May 17, 2019

john-bodley commented May 17, 2019 •

edited

Loading