Skip to main content

Security Guidelines

This guide answers common security questions about the Business Suite and provides best practices for safe usage. Plugin-specific notes are included at the end.

JavaScript-Enhanced Plugins​

Our plugins leverage JavaScript to offer unmatched customization, a top-requested feature that supercharges Grafana’s capabilities. With great power comes great responsibility—here’s how to use it safely.

Know the Risks

JavaScript code can be edited in Edit mode by Admin and Editor users, potentially introducing vulnerabilities if not managed properly.

Grafana runs JavaScript in a sandboxed environment, minimizing risks. To further secure your JavaScript-enriched plugins, we recommend:

  • Provisioning: Lock dashboards to prevent unauthorized changes.
  • Access Restrictions: Limit who can edit panels.

Provisioning​

Provisioning ensures end users can’t save dashboard modifications. Learn the ins and outs of this approach in our detailed video tutorial:

Provisioning in Grafana. Basics and pitfalls. File examples. Windows and Docker Demo.

For more, check out our companion blog post:

Provisioning in Grafana
Provisioning in Grafana

Provisioning is ideal for production environments where stability is key.

Access Restrictions​

Restrict Admin and Editor roles to trusted users only. Viewers can’t access Edit mode, eliminating accidental or malicious changes.

Plugin-Specific Recommendations​

The following tips address security considerations for specific Business Suite plugins.

Business Text​

You can set the default setting disable_sanitize_html = false to keep security restrictions in place. However, with that many action tags will be disabled. For instance, your panels will not display HTML elements like buttons.

disable_sanitize_html = true

Business Input​

The Business Input data source includes a JavaScript Value Editor, which can be disabled in the data source options for added safety:

Disable the JavaScript Value Editor in the data source options.
Disable the JavaScript Value Editor in the data source options.

Questions?​

Have security concerns or need clarification? Reach out via GitHub or our YouTube channel!

Business Suite Enterprise partners please open Zendesk ticket for fast response.