Grafana - Security¶
Evaluation Context
Tracking standard authentication matrices and network hardening for UI dashboards.
1. Decision Matrix / RBAC¶
| Entity / Date | Context | Target / Status |
|---|---|---|
| Proxy Auth HTTP Headers | Auth proxy delegates to Grafana using X-WEBAUTH-USER / X-WEBAUTH-GROUPS. |
Used to dynamically allocate team roles seamlessly from IDPs. |
| Secure Cookies | Force cookies to transmit exclusively over HTTPS to prevent MITM token scraping. | cookie_secure = true |
| CSP Defaults | Tightens the browser Content-Security-Policy to block XSS and malicious scripts. | $NONCE script injection mapping. |
2. Threat Model & AI Handling¶
Based on Context7 research: - Grafana Assistant AI: Acts using "Least Privilege" and inherited permission modeling. The LLM agent can only query dashboards and metrics that the user invoking it can already see. Grafana Cloud proxies all backend LLM responses dynamically so external vendors cannot breach your tenant.