In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
Block access to the snapshot feature by blocking the /api/snapshots
URL via a web application firewall, load balancer, reverse proxy etc.
You can also set 'external_enabled' to false to disable external
snapshot publish endpoint (default true). Note, it will completely
disable this feature.
[…]
[snapshots]
external_enabled = false
external_snapshot_url = <https://snapshots-origin.raintank.io>
external_snapshot_name = Publish to snapshot.raintank.io
[…]