Tested state of Grafana security on v3?

[rayprill]

• Question

Has Grafana been tested to assure it defends against common security issues? Specifically for v3.0.4, are the following common security exploits closed?

1. Does Grafana validate all cookies? Are all session cookies validated before granting access? Are different cookies used pre and post authentication?
2. Does Grafana defend against clickjacking? Can it be loaded in another application’s iframe?
3. Does Grafana disable auto-complete for the login screen?
4. Does Grafana defend against Cross-site scripting?
5. Does Grafana defend against Script injection?

[nopzor1200]

Hello,

The answers to these questions get quite varied. This is something we are starting to pay more attention to. We are also in the beginning processes of doing ongoing third party testing.

For customers with support subscriptions for Grafana, we do provide additional assurances, and are sharing the results of some of the aformentioned third party testing, etc.

However, for purposes if this Github issue, no, Grafana makes no assurances and provides no warranties.