Skip to main content

Security Guidelines

This section addresses many general questions we received on the matter. At the bottom, find some of the plugins solely related notes in the corresponding sections.


Report any security issues to our email: info at

JavaScript enriched

Our plugins are enriched with JavaScript, providing you with unparalleled customization options.

The ability to use JavaScript is one of the most demanded features in community plugins since it expands the Grafana possibilities even further. However, as with any mighty force, this one also has to be wielded with caution.

Know your Risks

JavaScript code can be modified in Edit mode by any Editor and Admin users.

Grafana executes JavaScript code in a Sandbox environment, which significantly reduces security risks.

To facilitate the safe usage of our JavaScript-enriched plugins we suggest the following approaches: provisioning and access restrictions.


In the provisioned dashboard, an end user is not able to save any changes they make. We explained the mechanics of provisioning in great detail in the following video:

Provisioning in Grafana. Basics and pitfalls. File examples. Windows and Docker Demo.

Also, you can look at the blog post that covers a similar scope.

Blog post about provisioning in Grafana.
Blog post about provisioning in Grafana.

Access restriction

Access restriction ensures that only trusted users are allotted Admin and Editor privileges. Users with a Viewer role are not able to open panels in edit mode, hence, their ability to even accidentally create a hazard is decapitated.

Specific notes to some plugins

Above we discussed the general safety suggestions. Below you find recommendations solely related to specified plugins.

Dynamic Text Panel

You can keep the default setting disable_sanitize_html = false to keep security restrictions in place. However, with that many action tags will be disabled. For instance, your panels will not display HTML elements like buttons.

The feature to process external CSS and JavaScript files is available only when sanitizing is disabled in the Grafana configuration:

disable_sanitize_html = true

Static Data Source

Static Data Source allows to set values using JavaScript Value Editor, which can be disabled in the Data Source options.

Disable the JavaScript Value Editor in the Data Source options.
Disable the JavaScript Value Editor in the Data Source options.

Environment Data Source

To stay out of trouble, Grafana Core chose not to support the environment variables at this time. Yet, many industrial cases require the ability to display environment variables, for instance, in cases where the goal is to manage numerous remote devices (for example, IoT networks).

To make the Environmental Data Source more secure, you can restrict the variables that are allowed to be shown in the Environment data source configuration. For the endless possibilities, the filter utilizes a regex pattern.

Use the Regex pattern to restrict the available environment variables.
Use the Regex pattern to restrict the available environment variables.