senstive information geting displayed in /superset/dashboard/<id> call in bootstrap_data how to hide them

[Nivraj]

Hi all,
A lot of back-end logic is stored in the front-end as

some of it is sensitive information about db connections. Is there any way to easily obfuscate the data or should we do a refactor to save all the model logic in the server-side and pass only a parameter what is needed for charts to display?

[dosubot[bot]]

I found two similar unsolved discussions that might be relevant to your question:

1. Can we hide database, table, schema information in xhr responses? ^[1].
2. How to control information attached to the API query response of a chart? ^[2].

Regarding your question, Superset provides mechanisms to handle sensitive information. The redact_sensitive function can be used to mask sensitive fields in a payload using a predefined mask, such as PASSWORD_MASK. This function identifies and masks sensitive fields using JSONPath expressions ^[3].

Additionally, Superset's security model includes masking sensitive data like passwords in API responses. For example, passwords in SQLAlchemy URIs are masked as XXXXXXXXXX to prevent exposure over the network ^[4].

These methods can help ensure that sensitive information is not exposed in the front-end. You might need to implement similar masking for the bootstrap_data to protect sensitive information.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[Nivraj]

@dosu how do to hide information. if done, components like download other chart menu options aren't working

[dosubot[bot]]

To hide sensitive information in bootstrap_data without affecting the functionality of components like download and other chart menu options, you can use Superset's existing mechanisms for data masking. Specifically, you can utilize the redact_sensitive function to mask sensitive fields such as $.password and $.credentials.user_token in the bootstrap_data ^[1].

Additionally, Superset provides configurations for selective masking of sensitive information using methods like mask_encrypted_extra and unmask_encrypted_extra. These methods ensure that sensitive data is masked in API responses while allowing users to edit configurations without needing to re-enter sensitive information ^[2][3].

To ensure that the functionality of components is not affected, make sure that only the sensitive parts are masked and that the essential data required for the operation of chart menu options is still available. The menu_data part of bootstrap_data is crucial for chart menu options, so ensure it remains intact ^[4].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}