Introducing Splunk Native Embedder: Secure Dashboard Embedding, Done Right

Source: Dev.to

Splunk Native Embedder has been approved and is now available on Splunkbase.

Splunk Native Embedder is a lightweight configuration manager built on Splunk’s native capabilities. This post walks through the technical details behind how the app enables secure cross‑origin dashboard embedding, allowing developers to integrate Splunk visualizations into external portals with fine‑grained control.

Splunk Native Embedder on Splunkbase

The Technical Challenge: X-Frame-Options & Cookie Security

Clickjacking Protection

Splunk sets the X-Frame-Options: SAMEORIGIN HTTP header by default. Browsers block rendering when the parent page is hosted on a different domain, preventing clickjacking but also stopping legitimate cross‑origin embedding.

Cookie Policies

Modern browsers (Chrome, Safari, Edge) enforce SameSite=Lax by default. This prevents session cookies from being sent in cross‑site contexts such as iframes, leading to an authentication loop where users log in successfully but the session drops because the browser refuses to send the cookie.

The Solution: Native Configuration Management

Managing Frame Security

When embedding is enabled from the app dashboard, the JavaScript controller (embedder_config.js) makes a REST call to the configs/conf-web endpoint. This updates local/web.conf and toggles the required security flags:

[settings]
# Disables the header that blocks cross-origin framing
x_frame_options_sameorigin = false

# Explicitly permits HTML dashboards to function within frames
dashboard_html_allow_iframes = true
dashboard_html_allow_embeddable_content = true

By managing these values directly at the platform level, the app preserves native behavior while ensuring optimal performance.

Solving the SameSite Cookie Issue

For authentication to persist inside an iframe, the session cookie must be marked SameSite=None; Secure. The app provides a simple toggle to apply this globally:

[settings]
# REQUIRED for cross-site embedding over HTTPS
cookieSameSite = none

Important: Setting cookieSameSite = none requires HTTPS. If Splunk is accessed over HTTP, modern browsers will reject the cookie entirely due to current security standards.

Handling Reverse Proxies & TLS Termination

In many deployments, SSL/TLS is terminated at a load balancer (NGINX, F5), while Splunk runs on HTTP internally. Splunk may not detect that traffic is secure and therefore won’t mark cookies as Secure. The app exposes an additional setting to force secure cookies:

[settings]
# Forces cookies to be marked 'Secure' even if Splunk sees HTTP traffic
tools.sessions.secure = true

This ensures cookies are accepted by browsers even in reverse‑proxy scenarios.

The app is open for use and feedback. By relying entirely on native configuration, the goal is to provide the most stable and Splunk‑aligned way to share dashboards externally.

— Sanjeev