Skip to main content

Security Guidelines

This section addresses many general questions we received on the matter. At the bottom, find some of the plugins solely related notes in the corresponding sections.

JavaScript enriched

Our plugins are enriched with JavaScript, providing you with unparalleled customization options.

The ability to use JavaScript is one of the most demanded features in community plugins since it expands the Grafana possibilities even further. However, as with any mighty force, this one also has to be wielded with caution.

Know your Risks

JavaScript code can be modified in Edit mode by any Editor and Admin users.

Grafana executes JavaScript code in a Sandbox environment, which significantly reduces security risks.

To facilitate the safe usage of our JavaScript-enriched plugins we suggest the following approaches:

  • Provisioning
  • Access restrictions


In the provisioned dashboard, an end user is not able to save any changes they make. We explained the mechanics of provisioning in great detail in the following video:

Provisioning in Grafana. Basics and pitfalls. File examples. Windows and Docker Demo.

Also, you can look at the blog post that covers a similar scope.

Access restriction

Access restriction ensures that only trusted users are allotted Admin and Editor privileges. Users with a Viewer role are not able to open panels in edit mode, hence, their ability to even accidentally create a hazard is decapitated.

Specific notes to some plugins

Above we discussed the general safety suggestions. Below you find recommendations solely related to specified plugins.

Business Text

You can keep the default setting disable_sanitize_html = false to keep security restrictions in place. However, with that many action tags will be disabled. For instance, your panels will not display HTML elements like buttons.

The feature to process external CSS and JavaScript files is available only when sanitizing is disabled in the Grafana configuration:

disable_sanitize_html = true

Business Input

Business Input Data Source allows to set values using JavaScript Value Editor, which can be disabled in the Data Source options.

Disable the JavaScript Value Editor in the Data Source options.
Disable the JavaScript Value Editor in the Data Source options.