I’m happy to share that Splunk Native Embedder has been approved and is now available on Splunkbase.
Splunk Native Embedder is a lightweight configuration manager built on Splunk’s native capabilities. In this post, I’ll walk through the technical details behind how the app enables secure cross-origin dashboard embedding, allowing developers to integrate Splunk visualizations into external portals with fine-grained control.
URL:https://splunkbase.splunk.com/app/8405
The Technical Challenge: X-Frame-Options & Cookie Security
Splunk Enterprise is secure by default. While this is a major strength, it introduces two common challenges when embedding Splunk content into external web applications:
1. Clickjacking Protection
Splunk sets the X-Frame-Options: SAMEORIGIN HTTP header by default. This tells browsers to block rendering when the parent page is hosted on a different domain.
2. Cookie Policies
Modern browsers such as Chrome, Safari, and Edge enforce SameSite=Lax by default. This prevents session cookies from being sent in cross-site contexts (like iframes). The result is a familiar authentication loop: users log in successfully, but the session immediately drops because the browser refuses to send the cookie.
The Solution: Native Configuration Management
The Splunk Native Embedder app removes this friction by acting as a UI wrapper around Splunk’s native web.conf configuration endpoints.
1. Managing Frame Security
When embedding is enabled from the app dashboard, the JavaScript controller (embedder_config.js) makes a REST call to the configs/conf-web endpoint. This updates local/web.conf and toggles the required security flags:
[settings]
# Disables the header that blocks cross-origin framing
x_frame_options_sameorigin = false
# Explicitly permits HTML dashboards to function within frames
dashboard_html_allow_iframes = true
dashboard_html_allow_embeddable_content = true
By managing these values directly at the platform level, the app preserves native behavior while ensuring optimal performance.
2. Solving the SameSite Cookie Issue
For authentication to persist inside an iframe, the session cookie must be marked SameSite=None; Secure. The app provides a simple toggle to apply this globally:
[settings]
# REQUIRED for cross-site embedding over HTTPS
cookieSameSite = none
Important: Setting
cookieSameSite = nonerequires HTTPS. If Splunk is accessed over HTTP, modern browsers will reject the cookie entirely due to current security standards.
3. Handling Reverse Proxies & TLS Termination
In many deployments, SSL/TLS is terminated at a load balancer (NGINX, F5), while Splunk runs on HTTP internally. In this setup, Splunk may not detect that traffic is secure and therefore won’t mark cookies as Secure.
To handle this, the app exposes an additional setting:
[settings]
# Forces cookies to be marked 'Secure' even if Splunk sees HTTP traffic
tools.sessions.secure = true
This ensures cookies are accepted by browsers even in reverse-proxy scenarios.
The app is open for use and feedback. By relying entirely on native configuration, the goal is to provide the most stable and Splunk-aligned way to share dashboards externally.
Thanks,
Sanjeev
Top comments (0)