Securely serving a Dash App

I want to serve a Dash app inside of a Django app with the Dash app only being accessible through the Django app after authentication.

I wanted to try to restrict the access by only allowing requests from the Django site to access the app and simply loading it in an iframe. However, I’m unsure if this is secure and/or whether there’s a better way to do this with a Dash or Flask based solution.

We had a similar need and we used an iframe (needed to encapsulate the Dash app) and also served all of the Dash routes through Django and not Flask. If you did this, then you can use the standard Django authorisation to restrict access.

For example, you could restrict the views in these urls by wrapping them with login_required (or another more selective function depending on your requirements).

Is there a way to decouple the DjangoDash application instance from the Django repository itself? The main problem I’m facing is that I’d like to keep the Django and Dash app living in entirely separate repositories. Would I be able to secure the access point to a Dash instance using a proper web server?

My idea is something along the lines of:
User --> Django --> (Login Required) View to dispatch Dash URL --> [ Dash Instance ] (Only accessible by the Django app)

If you want to use Django to control access, then either you need to have the Dash app served through Django (which would imply using Django as a proxy if you want to serve the Dash app with Flask) or extend the Flask server to somehow leverage Django authentication (which sounds quite messy as you’d need some way of enabling the Flask server to validate with the Django one).

If living in separate repositories means keeping the Flask server, then I think you need to take one of these two approaches. On the other hand, if the separation is just at the code level, then finding some sort of minimal change to use something like django-plotly-dash might be a lot less effort for you.