Docs: request security (#30937)

* Docs: request security

* Docs: lists the section in all examples

* typo

* Update docs/sources/enterprise/_index.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/enterprise-configuration.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>

* Update docs/sources/enterprise/enterprise-configuration.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/enterprise-configuration.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/enterprise-configuration.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>

* whats new

* Update docs/sources/enterprise/request-security.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>

* Update docs/sources/enterprise/request-security.md

Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>

* Update docs/sources/whatsnew/whats-new-in-v7-4.md

Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>

* final edits

Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>

docs/sources/enterprise/_index.md

@@ -50,6 +50,7 @@ With Grafana Enterprise, you get access to new features, including:
 - [Usage insights]({{< relref "usage-insights/_index.md" >}}) to understand how your Grafana instance is used.
 - [Vault integration]({{< relref "vault.md" >}}) to manage your configuration or provisioning secrets with Vault.
 - [Auditing]({{< relref "auditing.md" >}}) tracks important changes to your Grafana instance to help you manage and mitigate suspicious activity and meet compliance requirements.
+- [Request security]({{< relref "request-security.md" >}}) makes it possible to restrict outgoing requests from the Grafana server.
 
 ## Enterprise plugins
 
@@ -70,4 +71,3 @@ With a Grafana Enterprise license, you get access to premium plugins, including:
 
 To purchase or obtain a trial license contact the Grafana Labs [Sales Team](https://grafana.com/contact?about=support&topic=Grafana%20Enterprise).
 
-

docs/sources/enterprise/enterprise-configuration.md

@@ -304,3 +304,25 @@ Time until expiration for tokens which are renewed. Should have a value higher t
 ### lease_renewal_increment
 
 New duration for renewed tokens. Vault may be configured to ignore this value and impose a stricter limit.
+
+## [security.egress]
+
+> **Note:** Available in Grafana Enterprise v7.4 and later versions.
+
+Security egress makes it possible to control outgoing traffic from the Grafana server.
+
+### host_deny_list
+
+A list of hostnames or IP addresses separated by spaces for which requests are blocked.
+
+### host_allow_list
+
+A list of hostnames or IP addresses separated by spaces for which requests are allowed. All other requests are blocked.
+
+### header_drop_list
+
+A list of headers that are stripped from the outgoing data source and alerting requests.
+
+### cookie_drop_list
+
+A list of cookies that are stripped from the outgoing data source and alerting requests.

docs/sources/enterprise/request-security.md

@@ -0,0 +1,57 @@
++++
+title = "Request security"
+description = "Grafana Enterprise request security"
+keywords = ["grafana", "security", "enterprise"]
+weight = 110
++++
+
+# Request security
+
+> **Note:** Available in Grafana Enterprise v7.4 and later versions.
+
+Request security makes it possible to limit requests from the Grafana server, and it targets requests that are generated by users.
+
+For example:
+- Data source metric queries
+- Alert notifications
+
+This can be used to limit access to internal systems that the server Grafana runs on can access but that users of Grafana should not be able to access. This feature does not affect traffic from the Grafana users browser.
+
+> **Note:** Although request security works with backend plugins, you can create a backend plugin that bypasses this security.
+
+## IP and hostname blocking
+
+You can limit requests based on a hostname, an IP address, or both.
+
+### Deny list
+
+Grafana blocks any request to a hostname or IP address on the deny list.
+
+### Allow list
+
+If there is at least one entry on the list, then any request to a hostname or IP address not on the list is denied.
+
+For example:
+
+```toml
+[security.egress]
+# A list of hostnames or IP addresses separated by spaces for which requests are blocked.
+host_deny_list = supersecret.internal 192.168.1.10
+# a list of hostnames or IP addresses separated by spaces for which requests will be allowed, all other requests will be blocked
+host_allow_list = prometheus.internal
+
+```
+
+## Drop headers and cookies
+
+You can set a list of cookies or headers that are to be dropped from outgoing requests.
+
+Example:
+
+```toml
+[security.egress]
+# a list of headers that will be stripped from outgoing datasource and alerting requests
+header_drop_list = user
+# a list of cookies that will be stripped from outgoing datasource requests (case sensitive)
+cookie_drop_list = session_id
+```

docs/sources/whatsnew/whats-new-in-v7-4.md

@@ -214,6 +214,12 @@ You can now select a font, other than the default, for Unicode-based scripts. As
 
 [Reporting]({{< relref "../enterprise/reporting.md#rendering-configuration" >}}) was updated as a result of this change.
 
+### Request security
+
+Request security introduces ways to limit requests from the Grafana server, and it targets requests that are generated by users.
+
+For more information, refer to [Request security]({{< relref "../enterprise/request-security.md" >}}).
+
 ## Breaking changes
 
 The following Grafana 7.4 changes might break previous functionality.