Embedding an Apache Superset dashboard in a simple iframe is the fastest approach but has limits in security and UX. For a serious SaaS, the embedded SDK is preferable. This guide compares the approaches and details iframe best practices in 2026.
1. iframe vs embedded SDK
| Aspect | Simple iframe | Embedded SDK |
|---|---|---|
| Setup | 5 min | 1-2 days |
| Multi-tenant security | Limited | Strong (RLS via guest token) |
| UX | Standard Superset | Customizable |
| Authentication | Public or Superset login | Signed JWT tokens |
| Use case | Public, internal dashboards | B2B SaaS, multi-tenant |
If you want the preconfigured embedded SDK, see our embedded guide. For simple iframe, this guide.
2. Simple iframe use cases
- Public dashboards (open data, transparency reports);
- Internal dashboards in an already authenticated intranet portal;
- Quick sales demos;
- POC before migration to embedded SDK.
3. Superset configuration for iframe
In superset_config.py:
# Allow iframe embedding
HTTP_HEADERS = {"X-Frame-Options": "ALLOWALL"}
TALISMAN_CONFIG = {
"force_https": True,
"content_security_policy": {
"default-src": ["'self'"],
"frame-ancestors": ["'self'", "https://app.example.com"],
},
}
# For public dashboards (use sparingly)
PUBLIC_ROLE_LIKE = "Gamma"
ENABLE_FILTER_BOX_MIGRATION = True
4. HTML embed code
<iframe
src="https://superset.example.com/superset/dashboard/42/?standalone=2"
width="100%"
height="800"
frameborder="0"
sandbox="allow-scripts allow-same-origin allow-forms">
</iframe>
The ?standalone=2 parameter hides the Superset bar and global filters to show only the dashboard.
5. Standalone levels
| Value | Effect |
|---|---|
?standalone=0 | Full UI |
?standalone=1 | Without top navigation |
?standalone=2 | Without navigation or global filters |
?standalone=3 | Minimal "embedded" mode |
This configuration is applied by default on TVL Managed Superset, which follows community best practices.
6. Multi-tenant security
The simple iframe does not separate tenants. For a multi-tenant SaaS:
- Either public dashboard (anonymized data only);
- Or use the embedded SDK with guest token and RLS;
- Never simple iframe on a dashboard containing customer data.
7. Visual customization
Override Superset CSS to match your branding:
// On SaaS side, injection via postMessage or CSS Custom Property
.superset-app { --primary-color: #ff6600; }
Or use a Superset theme (cf. white-labelling).
8. Common pitfalls
- Missing CSP frame-ancestors: Chrome silently blocks;
- X-Frame-Options DENY by default: blank iframe;
- Cross-domain cookies: Superset disconnects at every session if SameSite=Strict;
- Mixed content: Superset HTTPS, parent HTTP, browser blocks;
- No responsive: iframe at fixed height on mobile = scroll within scroll.
9. Conclusion
Simple Superset iframe is fast to set up but limited in multi-tenant security. For a serious B2B SaaS, switch as soon as possible to the embedded SDK. For public or internal dashboards, the iframe remains perfectly suited.
Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).
For more: embedded dashboards, white-labelling, public dashboards.