grafana/docs/sources/enterprise/request-security.md

---
aliases:
  - /docs/grafana/latest/enterprise/request-security/
description: Grafana Enterprise request security
keywords:
  - grafana
  - security
  - enterprise
title: Request security
weight: 400
---

# Request security

Request security allows you to limit requests from the Grafana server by targeting requests generated by users, such as data source metric queries and alert notifications.

This can be used to limit access to internal systems that the server Grafana runs on can access but that users of Grafana should not be able to access. This feature does not affect traffic from the Grafana users browser.

> **Note:** Available in [Grafana Enterprise]({{< relref "../enterprise" >}}) version 7.4 and later, and [Grafana Cloud Pro and Advanced]({{< ref "/docs/grafana-cloud" >}}).

> **Note:** Although request security works with backend plugins, you can create a backend plugin that bypasses this security.

## IP and hostname blocking

You can limit requests based on a hostname, an IP address, or both.

### Deny list

Grafana blocks any request to a hostname or IP address on the deny list.

### Allow list

If there is at least one entry on the list, then any request to a hostname or IP address not on the list is denied.

For example:

```toml
[security.egress]
# A list of hostnames or IP addresses separated by spaces for which requests are blocked.
host_deny_list = supersecret.internal 192.168.1.10
# a list of hostnames or IP addresses separated by spaces for which requests will be allowed, all other requests will be blocked
host_allow_list = prometheus.internal

```

## Drop headers and cookies

You can set a list of cookies or headers that are to be dropped from outgoing requests.

Example:

```toml
[security.egress]
# a list of headers that will be stripped from outgoing datasource and alerting requests
header_drop_list = user
# a list of cookies that will be stripped from outgoing datasource requests (case sensitive)
cookie_drop_list = session_id
```
Convert TOML front matter to YAML (#49690) Signed-off-by: Jack Baldry <jack.baldry@grafana.com> 2022-05-26 23:06:25 +08:00			`---`
			`aliases:`
			`- /docs/grafana/latest/enterprise/request-security/`
			`description: Grafana Enterprise request security`
			`keywords:`
			`- grafana`
			`- security`
			`- enterprise`
			`title: Request security`
			`weight: 400`
			`---`
Docs: request security (#30937) * Docs: request security * Docs: lists the section in all examples * typo * Update docs/sources/enterprise/_index.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * whats new * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> * Update docs/sources/whatsnew/whats-new-in-v7-4.md Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> * final edits Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com> Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> 2021-02-10 22:01:18 +08:00
			`# Request security`

Docs: Identify which Grafana editions are relevant to each Enterprise doc (#49207) * Add section to Ent docs index re: Cloud features * Add and update notes identifying Enterprise and Cloud features * Address feedback 2022-05-26 03:31:49 +08:00			`Request security allows you to limit requests from the Grafana server by targeting requests generated by users, such as data source metric queries and alert notifications.`
Docs: request security (#30937) * Docs: request security * Docs: lists the section in all examples * typo * Update docs/sources/enterprise/_index.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * whats new * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> * Update docs/sources/whatsnew/whats-new-in-v7-4.md Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> * final edits Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com> Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> 2021-02-10 22:01:18 +08:00
			`This can be used to limit access to internal systems that the server Grafana runs on can access but that users of Grafana should not be able to access. This feature does not affect traffic from the Grafana users browser.`

Use ref links for external content (#49786) Signed-off-by: Jack Baldry <jack.baldry@grafana.com> 2022-05-31 22:35:52 +08:00			`> Note: Available in [Grafana Enterprise]({{< relref "../enterprise" >}}) version 7.4 and later, and [Grafana Cloud Pro and Advanced]({{< ref "/docs/grafana-cloud" >}}).`
Docs: Identify which Grafana editions are relevant to each Enterprise doc (#49207) * Add section to Ent docs index re: Cloud features * Add and update notes identifying Enterprise and Cloud features * Address feedback 2022-05-26 03:31:49 +08:00
Docs: request security (#30937) * Docs: request security * Docs: lists the section in all examples * typo * Update docs/sources/enterprise/_index.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/enterprise-configuration.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * whats new * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> * Update docs/sources/enterprise/request-security.md Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> * Update docs/sources/whatsnew/whats-new-in-v7-4.md Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> * final edits Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com> Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> Co-authored-by: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> 2021-02-10 22:01:18 +08:00			`> Note: Although request security works with backend plugins, you can create a backend plugin that bypasses this security.`

			`## IP and hostname blocking`

			`You can limit requests based on a hostname, an IP address, or both.`

			`### Deny list`

			`Grafana blocks any request to a hostname or IP address on the deny list.`

			`### Allow list`

			`If there is at least one entry on the list, then any request to a hostname or IP address not on the list is denied.`

			`For example:`

			```toml
			`[security.egress]`
			`# A list of hostnames or IP addresses separated by spaces for which requests are blocked.`
			`host_deny_list = supersecret.internal 192.168.1.10`
			`# a list of hostnames or IP addresses separated by spaces for which requests will be allowed, all other requests will be blocked`
			`host_allow_list = prometheus.internal`

			```

			`## Drop headers and cookies`

			`You can set a list of cookies or headers that are to be dropped from outgoing requests.`

			`Example:`

			```toml
			`[security.egress]`
			`# a list of headers that will be stripped from outgoing datasource and alerting requests`
			`header_drop_list = user`
			`# a list of cookies that will be stripped from outgoing datasource requests (case sensitive)`
			`cookie_drop_list = session_id`
			```