HTTPS and TLS for Apache Superset: 2026 Guide

Configure HTTPS and TLS for Apache Superset: Let's Encrypt, cert-manager, ingress nginx, HSTS, redirect. Step-by-step.

9 May 2026 · Tuvalu Tech OÜ

Putting Apache Superset behind HTTPS is non-negotiable in production: without TLS, credentials, sessions, and business data travel in plain text. This guide details the most common methods (Let's Encrypt, cert-manager, reverse proxy) in 2026.

1. Why HTTPS is mandatory

Confidentiality: SQL queries and results are sensitive;
Integrity: prevents in-transit modifications (man-in-the-middle);
Authentication: proves the server's identity;
SEO and trust: Chrome marks HTTP sites as "Not Secure".

If you want automatic HTTPS without configuration, TVL Managed Superset applies cert-manager + Let's Encrypt on all instances by default.

2. Three common approaches

Method	Use case
Caddy	Bare-metal, Docker VPS, maximum simplicity
Nginx + certbot	Classic VPS, fine control
ingress-nginx + cert-manager	Kubernetes, automation

3. Caddy approach (the simplest)

On a single-host Docker server:

# Caddyfile
superset.example.com {
    reverse_proxy localhost:8088
}

Caddy automatically handles:

Let's Encrypt certificate issuance;
Renewal before expiration (90 days);
HTTP → HTTPS redirect;
HTTP/2 and HTTP/3.

4. Nginx + certbot approach

More traditional configuration:

# 1. Initial issuance
sudo certbot --nginx -d superset.example.com

# 2. Automatic renewal (cron already installed by certbot)
sudo systemctl status certbot.timer

Resulting Nginx configuration:

server {
    listen 443 ssl http2;
    server_name superset.example.com;

    ssl_certificate     /etc/letsencrypt/live/superset.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/superset.example.com/privkey.pem;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    location / {
        proxy_pass http://localhost:8088;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 80;
    server_name superset.example.com;
    return 301 https://$host$request_uri;
}

5. cert-manager approach on Kubernetes

Step 1 — create the Let's Encrypt ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ops@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx

Step 2 — annotate the Superset Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: superset
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  ingressClassName: nginx
  tls:
    - hosts: [superset.example.com]
      secretName: superset-tls
  rules:
    - host: superset.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: superset
                port:
                  number: 8088

cert-manager issues and renews the certificate automatically.

6. Additional security headers

# ingress-nginx annotations
nginx.ingress.kubernetes.io/configuration-snippet: |
  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains; preload";
  more_set_headers "X-Content-Type-Options: nosniff";
  more_set_headers "X-Frame-Options: SAMEORIGIN";
  more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

7. Test the TLS configuration

SSL Labs: ssllabs.com/ssltest — aim for an A or A+ score;
HSTS preload: hstspreload.org;
testssl.sh: CLI audit.

8. Common pitfalls

Let's Encrypt rate limit on issuance: 50 certificates/week. Use Let's Encrypt staging in dev;
DNS not propagated before issuance: HTTP-01 challenge fails;
Self-signed certificate in production: Chrome blocks, Superset may refuse some callbacks (OIDC);
HSTS preload enabled too early: impossible to remove HTTPS for 1+ year;
Mixed content: Superset configured in HTTP behind HTTPS reverse proxy without X-Forwarded-Proto.

9. Automatic renewal

All the above tools automatically renew, but check monthly:

certbot: sudo certbot renew --dry-run;
cert-manager: certificate status with kubectl describe certificate;
Caddy: Caddy logs show renewals.

10. Conclusion

HTTPS is free and automatic in 2026. No reason not to have it. The three approaches (Caddy, Nginx+certbot, cert-manager) cover 99% of cases. The real subject is hardening with HSTS, security headers, and regular tests via SSL Labs.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France), HTTPS and HSTS configured by default.

For more: Superset hardening, load balancing, SSO OIDC.