Security: Add new setting allow_embedding (#16853)

When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189
2025-02-25 18:55:37 -06:00 · 2019-05-06 09:56:23 +02:00
parent 44e6da6b41
commit 1c1427520d
7 changed files with 43 additions and 1 deletions
--- a/pkg/middleware/middleware.go
+++ b/pkg/middleware/middleware.go
@@ -237,6 +237,10 @@ func AddDefaultResponseHeaders() macaron.Handler {
 			if !strings.HasPrefix(ctx.Req.URL.Path, "/api/datasources/proxy/") {
 				AddNoCacheHeaders(ctx.Resp)
 			}
+
+			if !setting.AllowEmbedding {
+				AddXFrameOptionsDenyHeader(w)
+			}
 		})
 	}
 }
@@ -246,3 +250,7 @@ func AddNoCacheHeaders(w macaron.ResponseWriter) {
 	w.Header().Add("Pragma", "no-cache")
 	w.Header().Add("Expires", "-1")
 }
+
+func AddXFrameOptionsDenyHeader(w macaron.ResponseWriter) {
+	w.Header().Add("X-Frame-Options", "deny")
+}