diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 5b1b4d861ef6795bfd71fa475b461866817447c4..d320907e8e71562b47829850ff85245c265d5040 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -76,6 +76,11 @@ in {
       # listening.  Grafana's own server listens on an internal address that
       # doesn't matter to anyone except our nginx instance.
       rootUrl = "https://%(domain)s/";
+
+      extraOptions = {
+        # Defend against DNS rebinding attacks.
+        SERVER_ENFORCE_DOMAIN = "true";
+      };
     };
 
     services.grafana.auth = {