IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Security: Add new setting allow_embedding (#16853)

Browse Source 
When allow_embedding is false (default) the Grafana backend 
will set the http header `X-Frame-Options: deny` in all responses 
to non-static content which will instruct browser to not allow 
Grafana to be embedded in `<frame>`, `<iframe>`, 
`<embed>` or `<object>`.

Closes #14189
This commit is contained in:
Marcus Efraimsson
2019-05-06 09:56:23 +02:00
committed by GitHub
parent 44e6da6b41
commit 1c1427520d
7 changed files with 43 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/sources/installation/configuration.md
View File

@@ -314,6 +314,12 @@ Set to `true` if you host Grafana behind HTTPS. Default is `false`.
Sets the `SameSite` cookie attribute and prevents the browser from sending this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks (CSRF), [read more here](https://www.owasp.org/index.php/SameSite). Valid values are `lax`, `strict` and `none`. Default is `lax`.
### allow_embedding
When `false`, the HTTP header `X-Frame-Options: deny` will be set in Grafana HTTP responses which will instruct
browsers to not allow rendering Grafana in a `<frame>`, `<iframe>`, `<embed>` or `<object>`. The main goal is to
mitigate the risk of [Clickjacking](https://www.owasp.org/index.php/Clickjacking). Default is `false`.
<hr />
## [users]

8
docs/sources/installation/upgrading.md
View File

@@ -152,6 +152,8 @@ The default cookie name for storing the auth token is `grafana_session`. you can
## Upgrading to v6.2
### Ensure encryption of datasource secrets
Datasources store passwords and basic auth passwords in secureJsonData encrypted by default. Existing datasource
will keep working with unencrypted passwords. If you want to migrate to encrypted storage for your existing datasources
you can do that by:
@@ -160,3 +162,9 @@ password and save the datasource.
- For datasources created by provisioning, you need to update your config file and use secureJsonData.password or
secureJsonData.basicAuthPassword field. See [provisioning docs](/administration/provisioning) for example of current
configuration.
### Embedding Grafana
If you're embedding Grafana in a `<frame>`, `<iframe>`, `<embed>` or `<object>` on a different website it will no longer work due to a new setting
that per default instructs the browser to not allow Grafana to be embedded. Read more [here](/installation/configuration/#allow-embedding) about
this new setting.