Cross Frame Scripting (XFS)

sugardaddyz · August 26, 2019, 1:42pm

Good day!

Our security testing team noted that it was possible to capture the login page of the application within a HTML frame of another page as well as all the keystrokes that are entered by the user. In addition, it was also possible to authenticate the web application within the HTML frame. It was also noted that there was no ‘X-Frame-Options’ header in the HTTP response.

May we request for a fix for this?

Thank you!

dcech · August 26, 2019, 2:06pm

By default Grafana 6.2+ includes an X-Frame-Options: deny header on every response. Please verify that you are running the latest release and have not set allow_embedding = true in your configuration (which disables the x-frame-options header).

Topic		Replies	Views
Iframe With Grafana still show X-frame-Options 'deny' Configuration	0	2725	January 10, 2022
Load denied by X-Frame-Options: <Panel_URL> does not permit framing	8	30140	April 4, 2022
Click-Jacking protection for Grafana	3	1580	January 13, 2021
Grafana cloud public dashboards and X-Frame-Options: deny Grafana Cloud configuration , public-dashboards	2	1793	June 28, 2023
Iframe is not embedding in Grafana using Text panel Grafana text-panel	17	8247	April 25, 2024

Cross Frame Scripting (XFS)

Related topics