Grafana Embed- Clickjacking attack Mitigation

Hello Grafana Team,

I wanted to clarify few doubts related to the security issue mentioned in the blog

As per the blog , in order to allow grafana accept embedding requests allow_embedding configuration has to be set, but this will make your server vulnerable to clickjacking attack. My question is, if this attack can be mitigated with the approach suggested in the following blog: I think we can set CSP in grafana.ini
via content_security_policy_template.

My another question is related to another attack vector i.e. CSRF mentioned in the same grafana blog as above. Here I wanted to confirm , I have 2 different domains i.e. grafana is on different domain and site where grafana dashboard gets embedded is on different domain. In that case I don’t want cookies to be shared between them. So I would want to set cookie_samesite=strict and i hope the embed requests should still work without any CSRF concern. In the blog it is mentioned to set cookie_samesite=disabled, but what if there is no need to share the cookies in cross site requests.I was not able to find the answers via search, please redirect me to the correct page if this is already answered somewhere.

1 Like

Just try that. I think that you may have a problem to authenticate a user in embedded Grafana.

You will mitigate clickjacking attack only partially with CSP - there can be still attack from that explicitly whitelisted domains, where you are embedding Grafana.

Thanks for the instant reply.

I will try it out cookie_samesite=strict. For the clickjacking attack, can you tell me how much risk remains after applying the fix assuming that in the security world we cannot achieve 100% protection from the threats as a matter of fact.

That’s hard to quantify. But I guess you will be top 1% Grafana users, who care about security fine tuning.