Architecture
The Data Manipulation panel can request (GET) and update (DELETE, PATCH, POST, PUT) data and configuration using REST API.

Tutorial
NGINX
We recommend running Grafana behind NGINX reverse proxy for an additional security layer. The reverse proxy also allows us to expose additional API endpoints and static files in the same domain, which makes it CORS-ready.

CORS
The Data Manipulation panel may be blocked by CORS policy to access API Server. You can look for a rejection error in your browser Console window.

Unfortunately, Grafana will not be explicit. Nothing will notify you about a CORS restrictions error.
Policies
Same-Origin is a policy allowing interaction with resources ONLY from the same domain, host and port. For instance, abc.com
can retrieve data from abc.com/page1
, but is not permitted to access anyotherdomain.com
.
Cross-Origin Resource Sharing (CORS) policy is more flexible. It was created to allow different domains to interact. If CORS restrictions are off, any domain is allowed to request data. If CORS restrictions are ON, only whitelisted domains are permitted.
Connect to API Server
We understand the risk of data manipulation and take security concerns seriously. This blog post explores three secure ways to connect the Data Manipulation panel to the API Server.
