Elasticsearch security (authentication, role-based access, TLS) is enabled by default since 8.0. Disabling it removes authentication and encryption from the HTTP and transport layers. The legitimate use case is local development against a single-node cluster on a laptop. Disabled security in production - on any network-reachable node - is the single most common cause of public Elasticsearch data leaks reported on Shodan and HaveIBeenPwned.
When Disabling Security Is Acceptable
| Scenario | Acceptable? |
|---|---|
Local development on 127.0.0.1 |
Yes |
| CI integration tests in an isolated network | Yes |
| Docker compose for local prototyping | Yes |
| Bound to internal network | No - use security with private TLS |
| Cloud VPC, no public IP | No - still exposed to other VPC workloads |
| Production for any reason | No |
The Elasticsearch bootstrap check refuses to start a security-disabled node bound to a non-loopback address in production mode unless explicitly forced. That guard exists for a reason.
Step-by-Step: Disable Security
Locate
elasticsearch.yml:- tar.gz/zip:
config/elasticsearch.yml - deb/rpm:
/etc/elasticsearch/elasticsearch.yml - Docker: bind-mounted or set via environment variables
- tar.gz/zip:
Add the security-disabling settings:
xpack.security.enabled: false xpack.security.transport.ssl.enabled: false xpack.security.http.ssl.enabled: falseRestart Elasticsearch:
sudo systemctl restart elasticsearchVerify:
curl http://localhost:9200/The request should succeed without credentials.
For Docker, set the environment variables in the container definition:
environment:
- xpack.security.enabled=false
- discovery.type=single-node
What Each Setting Does
| Setting | Effect when false |
|---|---|
xpack.security.enabled |
Master switch - disables authentication, RBAC, audit logging |
xpack.security.transport.ssl.enabled |
Disables TLS between nodes |
xpack.security.http.ssl.enabled |
Disables HTTPS on the REST API |
Disabling only some of these creates confusing failures (TLS errors but no auth, or vice versa). Disable all three together or none.
Re-enabling Security
To re-enable, set xpack.security.enabled: true, configure TLS, create at least one user, and restart:
bin/elasticsearch-setup-passwords interactive # 7.x
bin/elasticsearch-reset-password -u elastic # 8.x and 9.x
In 8.0+, Elasticsearch auto-generates credentials on first start with security enabled. Stash them before changing anything.
Common Pitfalls
- Disabling security on a cluster that already has security-enabled data - existing user credentials, role definitions, and API keys remain in the
.securityindex but become inaccessible until security is re-enabled. - Binding to
0.0.0.0with security disabled. Any other workload on the network can read and write to the cluster. - Leaving security disabled "temporarily" and forgetting. Audit your cluster configuration regularly.
- Disabling only
xpack.security.enabledwhile leaving SSL enabled. The two layers must be consistent.
Preventive Measures
For development, use authenticated clusters with weak local credentials instead of disabling security entirely. Elasticsearch 8.x ships with one-step single-node setup that includes auto-generated passwords - no harder to use than disabled security, and the cluster won't accidentally end up on the public internet.
For production, Pulse detects clusters with security disabled, anonymous access enabled, or unexpected ingress patterns. Misconfigurations are flagged immediately so they don't end up indexed by search-engine bots.
Frequently Asked Questions
Q: How do I disable security in Elasticsearch 8.x and later?
A: Set xpack.security.enabled: false, xpack.security.transport.ssl.enabled: false, and xpack.security.http.ssl.enabled: false in elasticsearch.yml, then restart the node. The configuration is only safe on isolated local development clusters.
Q: Can I disable Elasticsearch security in production?
A: You technically can, but it leaves data exposed to unauthorized read, write, and delete. Disabled security in production is the most common cause of public Elasticsearch leaks. The official guidance is to never do this.
Q: How do I re-enable security after disabling it?
A: Set xpack.security.enabled: true, configure TLS for transport and (optionally) HTTP, restart, and reset the elastic user password with bin/elasticsearch-reset-password -u elastic (8.x+) or bin/elasticsearch-setup-passwords (7.x).
Q: Does disabling security delete my data?
A: No. Disabling security only removes access controls. Existing user accounts, role definitions, and API keys in the .security index remain stored but inaccessible until security is re-enabled.
Q: Can I disable security for specific indices?
A: No. Security is a cluster-wide capability. To grant different access to different indices, configure roles with index-level permissions while keeping security enabled.
Q: Why does Elasticsearch require security in production mode?
A: Elasticsearch enters production mode when bound to a non-loopback address. The bootstrap check then refuses to start with security disabled because the cluster is network-reachable, so disabled auth would expose data to anyone on the network.
Related Reading
- Elasticsearch Docker Guide: Local single-node setup
- Where to Download Elasticsearch: Get a fresh cluster
- Elasticsearch transport.host Setting: Network binding for nodes
- Elasticsearch network.host Setting: HTTP binding
- Managed Elasticsearch: Avoid security misconfiguration with managed services
