This section addresses many general questions we received on the matter. At the bottom, find some of the plugins solely related notes in the corresponding sections.
Report any security issues to our email: info at volkovlabs.io.
In the provisioned dashboard, an end user is not able to save any changes they make. We explained the mechanics of provisioning in great detail in the following video:
Also, you can look at the blog post that covers a similar scope.
Access restriction ensures that only trusted users are allotted Admin and Editor privileges. Users with a Viewer role are not able to open panels in edit mode, hence, their ability to even accidentally create a hazard is decapitated.
Specific notes to some plugins
Above we discussed the general safety suggestions. Below you find recommendations solely related to specified plugins.
Dynamic Text Panel
You can keep the default setting
disable_sanitize_html = false to keep security restrictions in place. However, with that many action tags will be disabled. For instance, your panels will not display HTML elements like buttons.
disable_sanitize_html = true
Static Data Source
Environment Data Source
To stay out of trouble, Grafana Core chose not to support the environment variables at this time. Yet, many industrial cases require the ability to display environment variables, for instance, in cases where the goal is to manage numerous remote devices (for example, IoT networks).
To make the Environmental Data Source more secure, you can restrict the variables that are allowed to be shown in the Environment data source configuration. For the endless possibilities, the filter utilizes a regex pattern.