root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 142 Packages Projects Releases Wiki Activity

Docs: Cookie samesite setting clarification (#111730)

This commit is contained in:
Misi 2025-09-29 16:17:28 +02:00 committed by GitHub
parent d46e3d0e5a
commit 54eda07b2e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/sources/setup-grafana/configure-grafana/_index.md
View File

@ -726,6 +726,8 @@ Set to `true` if you host Grafana behind HTTPS. Default is `false`.
Sets the `SameSite` cookie attribute and prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. This setting also provides some protection against cross-site request forgery attacks (CSRF), [read more about SameSite here](https://owasp.org/www-community/SameSite). Valid values are `lax`, `strict`, `none`, and `disabled`. Default is `lax`. Using value `disabled` does not add any `SameSite` attribute to cookies.
If you want to use OAuth/SAML for login, it is necessary to configure this attribute as `lax`.
#### `allow_embedding`
When `false`, the HTTP header `X-Frame-Options: deny` is set in Grafana HTTP responses which instructs browsers to not allow rendering Grafana in a `<frame>`, `<iframe>`, `<embed>` or `<object>`.

6
docs/sources/setup-grafana/configure-security/configure-authentication/saml/troubleshoot-saml/_index.md
View File

@ -96,17 +96,17 @@ Review the following settings in your Grafana configuration:
```ini
[security]
cookie_samesite = none
cookie_samesite = lax
```
This setting should be set to none to allow Grafana session cookies to work correctly with redirects.
This setting should be set to `lax` to allow Grafana session cookies to work correctly with redirects.
```ini
[security]
cookie_secure = true
```
Ensure `cookie_secure` is set to true to ensure that cookies are only sent over HTTPS.
For enhanced security, set `cookie_secure` to `true`, which forces cookies to be sent only via HTTPS.
### Troubleshoot Graph API calls

2
docs/sources/setup-grafana/configure-security/configure-security-hardening/index.md
View File

@ -52,6 +52,8 @@ cookie_samesite = strict
{{< admonition type="note" >}}
By setting the SameSite attribute to "strict," only the user clicks within a Grafana instance work. The default option, "lax," does not produce this behavior.
If you want to use OAuth/SAML for login, it is necessary to configure this attribute as `lax`.
{{< /admonition >}}
### Add a prefix to cookie names