Security Guidelines
This section addresses many general questions we received on the matter. At the bottom, find some of the plugins solely related notes in the corresponding sections.
JavaScript enriched
Our plugins are enriched with JavaScript, providing you with unparalleled customization options.
The ability to use JavaScript is one of the most demanded features in community plugins since it expands the Grafana possibilities even further. However, as with any mighty force, this one also has to be wielded with caution.
JavaScript code can be modified in Edit mode by any Editor and Admin users.
Grafana executes JavaScript code in a Sandbox environment, which significantly reduces security risks.
To facilitate the safe usage of our JavaScript-enriched plugins we suggest the following approaches:
- Provisioning
- Access restrictions
Provisioning
In the provisioned dashboard, an end user is not able to save any changes they make. We explained the mechanics of provisioning in great detail in the following video:
Also, you can look at the blog post that covers a similar scope.
Access restriction
Access restriction ensures that only trusted users are allotted Admin and Editor privileges. Users with a Viewer role are not able to open panels in edit mode, hence, their ability to even accidentally create a hazard is decapitated.
Specific notes to some plugins
Above we discussed the general safety suggestions. Below you find recommendations solely related to specified plugins.
Business Text
You can keep the default setting disable_sanitize_html = false to keep security restrictions in place. However, with that many action tags will be disabled. For instance, your panels will not display HTML elements like buttons.
The feature to process external CSS and JavaScript files is available only when sanitizing is disabled in the Grafana configuration:
disable_sanitize_html = true
Business Input
Business Input Data Source allows to set values using JavaScript Value Editor, which can be disabled in the Data Source options.
