From 450fde768cc0232e2247b8f6b4158877c292888c Mon Sep 17 00:00:00 2001
From: Erik Ritter <erik.ritter@airbnb.com>
Date: Thu, 10 Oct 2019 13:57:14 -0700
Subject: [PATCH] [Config] Cache static resources

---
 UPDATING.md            |  6 ++++++
 superset/config.py     | 13 +++++++++++--
 superset/views/core.py | 13 ++++++++++---
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/UPDATING.md b/UPDATING.md
index 55923ec8f2099..39e3e0c030ddd 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -23,6 +23,12 @@ assists people when migrating to a new version.
 
 ## Next Version
 
+* [8370](https://github.com/apache/incubator-superset/pull/8370): Deprecates
+  the `HTTP_HEADERS` variable in favor of `DEFAULT_HTTP_HEADERS` and
+  `OVERRIDE_HTTP_HEADERS`. To retain the same behavior you should use
+  `OVERRIDE_HTTP_HEADERS` instead of `HTTP_HEADERS`. `HTTP_HEADERS` will still
+  work but may be removed in a future update.
+
 * We're deprecating the concept of "restricted metric", this feature
   was not fully working anyhow.
 * [8117](https://github.com/apache/incubator-superset/pull/8117): If you are
diff --git a/superset/config.py b/superset/config.py
index 79f723d45248f..235783e833170 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -435,8 +435,14 @@ class CeleryConfig(object):
 # CELERY_CONFIG = None
 
 # Additional static HTTP headers to be served by your Superset server. Note
-# Flask-Talisman aplies the relevant security HTTP headers.
-HTTP_HEADERS = {}
+# Flask-Talisman applies the relevant security HTTP headers.
+#
+# DEFAULT_HTTP_HEADERS: sets default values for HTTP headers. These may be overridden
+# within the app
+# OVERRIDE_HTTP_HEADERS: sets override values for HTTP headers. These values will
+# override anything set within the app
+DEFAULT_HTTP_HEADERS = {}
+OVERRIDE_HTTP_HEADERS = {}
 
 # The db id here results in selecting this one as a default in SQL Lab
 DEFAULT_DB_ID = None
@@ -665,6 +671,9 @@ class CeleryConfig(object):
 SESSION_COOKIE_SECURE = False  # Prevent cookie from being transmitted over non-tls?
 SESSION_COOKIE_SAMESITE = "Lax"  # One of [None, 'Lax', 'Strict']
 
+# Flask configuration variables
+SEND_FILE_MAX_AGE_DEFAULT = 60 * 60 * 24 * 365  # Cache static resources
+
 # URI to database storing the example data, points to
 # SQLALCHEMY_DATABASE_URI by default if set to `None`
 SQLALCHEMY_EXAMPLES_URI = None
diff --git a/superset/views/core.py b/superset/views/core.py
index d5bad8bd86b9c..9613b0b2ec8b3 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -3125,10 +3125,17 @@ class CssTemplateAsyncModelView(CssTemplateModelView):
 
 
 @app.after_request
-def apply_http_headers(response):
+def apply_http_headers(response: Response):
     """Applies the configuration's http headers to all responses"""
-    for k, v in config.get("HTTP_HEADERS").items():
-        response.headers[k] = v
+
+    # HTTP_HEADERS is deprecated, this provides backwards compatibility
+    response.headers.extend(
+        {**config["OVERRIDE_HTTP_HEADERS"], **config.get("HTTP_HEADERS", {})}
+    )
+
+    for k, v in config["DEFAULT_HTTP_HEADERS"].items():
+        if k not in response.headers:
+            response.headers[k] = v
     return response