Cross Frame Scripting (XFS)

Good day!

Our security testing team noted that it was possible to capture the login page of the application within a HTML frame of another page as well as all the keystrokes that are entered by the user. In addition, it was also possible to authenticate the web application within the HTML frame. It was also noted that there was no ‘X-Frame-Options’ header in the HTTP response.

May we request for a fix for this?

Thank you!

By default Grafana 6.2+ includes an X-Frame-Options: deny header on every response. Please verify that you are running the latest release and have not set allow_embedding = true in your configuration (which disables the x-frame-options header).