GitHub user dosubot[bot] added a comment to the discussion: CSRF Token failing OR Dashboard Import failing
<!-- Answer --> When the /api/v1/dashboard/import endpoint returns login page HTML, it means the request isn't authenticated—usually because the session cookie is missing or invalid, even if the CSRF token is present. This is common when using a proxy like NGINX if cookies or headers aren't forwarded correctly, or if browser cookie settings (like SameSite) block the session cookie on your domain [reference](https://github.com/apache/superset/issues/32315) [reference](https://github.com/apache/superset/discussions/32757). Here's what to check: 1. Make sure your import request sends both the session cookie (from a successful login) and the X-CSRFToken header together. Both are required for authenticated API calls [reference](https://github.com/apache/superset/issues/32315). 2. Confirm your NGINX proxy forwards all relevant headers and cookies. Your config should include: ``` proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; ``` Any missing or incorrect header can break authentication [reference](https://github.com/apache/superset/discussions/32757). 3. If you use HTTPS on your domain, check that SESSION_COOKIE_SAMESITE and SESSION_COOKIE_SECURE in superset_config.py are compatible with your setup. The default 'Lax' setting may block cookies in some cross-site/proxy scenarios [reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/config.py). 4. Enable detailed logging in Superset to capture more info about failed requests: ```python LOG_LEVEL = logging.DEBUG ``` This can help you spot backend errors or authentication failures [reference](https://github.com/apache/superset/discussions/32998). If you still see the login page HTML, try capturing the exact request headers and payload sent to /api/v1/dashboard/import, and double-check your NGINX config for any missing headers or cookie forwarding issues. This will help pinpoint where the authentication chain is breaking. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/7ae387d9-fcb5-4521-8076-f6504f43e3f0?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/7ae387d9-fcb5-4521-8076-f6504f43e3f0?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/7ae387d9-fcb5-4521-8076-f6504f43e3f0?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/7ae387d9-fcb5-4521-8076-f6504f43e3f0?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/7ae387d9-fcb5-4521-8076-f6504f43e3f0?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/7ae387d9-fcb5-4521-8076-f6504f43e3f0?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/7ae387d9-fcb5-4521-8076-f6504f43e3f0?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)& nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/34504) GitHub link: https://github.com/apache/superset/discussions/34504#discussioncomment-13957630 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
