From c85e5f890e57fee69bb43e67294244f3a3769922 Mon Sep 17 00:00:00 2001 From: SeongTae Jeong Date: Tue, 30 Jul 2024 16:57:30 +0900 Subject: [PATCH] Add the 'REDASH_ENFORCE_CSRF' environment variable (#734) --- src/pages/kb/open-source/admin-guide/env-vars-settings.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/pages/kb/open-source/admin-guide/env-vars-settings.md b/src/pages/kb/open-source/admin-guide/env-vars-settings.md index 309089dd0..2456e3247 100644 --- a/src/pages/kb/open-source/admin-guide/env-vars-settings.md +++ b/src/pages/kb/open-source/admin-guide/env-vars-settings.md @@ -12,7 +12,7 @@ most installs) can be set in `/opt/redash/.env`. When developing with Docker, cr The follow is a list of settings and what they control: | Name | Description | Default Value | -| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------ | +|-------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------| | `REDASH_REDIS_URL` | URL Redash services will use to read and write to redis | “redis://localhost:6379/0” | | `REDASH_DISABLE_PUBLIC_URLS` | Whether to disable access to public URLs | "false" | | `REDASH_BLOCKED_DOMAINS` | Comma separated of email domains that cannot create user accounts | "qq.com" | @@ -65,6 +65,7 @@ The follow is a list of settings and what they control: | `REDASH_CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS` | | false | | `REDASH_CORS_ACCESS_CONTROL_REQUEST_METHOD` | | GET, POST, PUT | | `REDASH_CORS_ACCESS_CONTROL_ALLOW_HEADERS` | | Content-Type | +| `REDASH_ENFORCE_CSRF` | Enforce CSRF token validation on API requests. **This is turned off by default to avoid breaking any existing deployments, but it is highly recommended to turn this toggle on to prevent CSRF attacks.** | false | | `REDASH_ENABLED_QUERY_RUNNERS` | Comma-separated list of query runners to be enabled (e.g. `redash.query_runner.pg,redash.query_runner.mysql`) | ”,”.join(default_query_runners) | | `REDASH_ADDITIONAL_QUERY_RUNNERS` | Comma-separated list of non-default query runners to be enabled | | | `REDASH_DISABLED_QUERY_RUNNERS` | Comma-separated list of query runners that will not appear in Redash | |