From bfe8f7403bce990bb1be35ac2876628ee0c2b726 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Fri, 16 Jul 2021 14:14:55 -0400
Subject: [PATCH] Provide some minimal additional security

At least it's easy to turn on
---
 nixos/modules/monitoring/server/grafana.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 5b1b4d86..d320907e 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -76,6 +76,11 @@ in {
       # listening.  Grafana's own server listens on an internal address that
       # doesn't matter to anyone except our nginx instance.
       rootUrl = "https://%(domain)s/";
+
+      extraOptions = {
+        # Defend against DNS rebinding attacks.
+        SERVER_ENFORCE_DOMAIN = "true";
+      };
     };
 
     services.grafana.auth = {
-- 
GitLab