Authorized use and Security for data and visualizations

I am new to Dash and Plotly, so forgive me if this is in the wrong forum.

I have just started learning Dash and Plotly, and I am very impressed. I work as a BI architect consulting for a leading commercial product which is very expensive to deploy. I think my small firm needs to offer a more economical solution for visualizations and BI. I have the expectation that Dash and Plotly will do this.

One topic that I have not been able to determine is how to implement security.

Is there a reference to this? Or can anyone give me a high level, brief summary of it? The types of companies I work for are medium to small businesses that want to deploy dashboards to their operational units: retail store managers, department managers in various cities, managers in remote locations, that sort of thing.

I have seen the authentication routines referenced in the documentation, but I have not had the time yet to go into them in-depth nor to build any webpages to play around with security. Plus the routines are at a very detailed level and do not seem to indicate an overall approach to security. I could be wrong on this and may have missed some reference info.

What I have gathered is that iframes may not be a secure way to deploy visualizations.

I am not looking for a detailed answer on this or instructions on how to implement security. I am simply seeking some guidance on where to start and to assure myself and my boss that Dash and Plotly can securely deploy dashboards for the types of users I described above.

Thanks for any help and thoughts.

James

On the open-source side, dash_auth supports HTTP basic auth (as well as plot.ly credentials but this part is deprecated), and the approach is fairly straightforward:

  • Wrap all requests to the dash server with a routine that checks the headers for appropriate credentials
  • The headers are checked against a predefined set of username/password combinations
  • For the main app page, unauthenticated access gives the login page
  • For all other endpoints (including the layout, all callbacks, all JS & CSS assets) unauthenticated access is forbidden

If you’re using Dash Enterprise, reach out your Plotly support contact to help you more with your use case. The general approach is similar but we can help integrate with a wide range of authentication systems.

iframes may not be a secure way to deploy visualizations

They can be secure, but you’re right this has added complications. If you’re using dcc.Graph to deploy plotly.js visualizations, there are no iframes involved.

Hope that helps!