Feature request: Set security headers #6820
Comments
jmcarp
changed the title
torkelo
added
prio/medium
|
I’ve tried to secure our Grafana installation with CSP headers. But Grafana would require |
|
@rluba Care to comment a bit more on what you tested? I am also trying to secure a grafana for multi-tenant access and I was looking at CSP headers to help me. It's pretty scary to let |
|
Related to #14189 |
|
@Sytten I’ve found no way to enforce a sane CSP with Grafana. If you just need single-tenant access, you can add another layer of authorization in front of Grafana. If you need multi-tenant access, I’m afraid you’re out of luck. |
|
Yeah same for us. My fear is that we are seeing a lot of roll out of grafana as multi-tenant (latest I have seen is logz.io) the same way we do it (auth proxy in front of it). It would be nice of them to help us provide better security for all users. |
|
Just noting to ourselves to analyze what's needed to fulfill this request. |
|
All mentioned headers in issue description are supported since a while back. Closing this as fixed. Let us know if you don't agree and we'll consider reopen this. |
It would be useful if grafana could be configured to set security-related headers (
x-xss-protection,x-frame-options,content-security-policy, etc). In my specific use case, I need to add these headers to comply with nist guidelines, but adding them would also add extra protection against xss and other attacks. Would you all be interested in using a library like https://github.com/unrolled/secure, or in adding the headers that it adds manually?The text was updated successfully, but these errors were encountered: