Elasticsearch http.cors.allow-credentials Setting

Pulse - Elasticsearch Operations Done Right

On this page

Description Example Common Issues Do's and Don'ts Frequently Asked Questions

The http.cors.allow-credentials setting in Elasticsearch controls whether the Access-Control-Allow-Credentials header is returned in the response when Cross-Origin Resource Sharing (CORS) is enabled.

Description

  • Default value: false
  • Possible values: true, false
  • Recommendation: Keep this setting as false unless you specifically need to allow credentials in CORS requests.

This setting is used in conjunction with http.cors.enabled and other CORS-related settings. When set to true, it allows the browser to include credentials (like cookies or HTTP authentication) in CORS requests.

Example

To enable the http.cors.allow-credentials setting using the cluster settings API:

PUT /_cluster/settings
{
  "persistent": {
    "http.cors.allow-credentials": true
  }
}

Reason for change: You might need to change this setting if your application requires sending credentials (e.g., cookies) with CORS requests to Elasticsearch.

Effects: Enabling this setting allows the browser to include credentials in CORS requests, which can be necessary for certain authentication scenarios but also increases security risks.

Common Issues

  1. Security vulnerabilities if not properly configured with other CORS settings.
  2. Authentication failures if set to false when the application expects to send credentials.

Do's and Don'ts

Do's:

  • Only enable this setting if you explicitly need to allow credentials in CORS requests.
  • Use in combination with http.cors.allow-origin to restrict which origins can send credentials.
  • Regularly review and audit your CORS configuration for security.

Don'ts:

  • Don't enable this setting without understanding the security implications.
  • Avoid using * as the value for http.cors.allow-origin when this setting is true, as it's a security risk.

Frequently Asked Questions

Q: What happens if I enable http.cors.allow-credentials without configuring http.cors.allow-origin?
A: Enabling http.cors.allow-credentials without properly configuring http.cors.allow-origin can lead to security vulnerabilities. Always set specific origins rather than using a wildcard when allowing credentials.

Q: Can I use http.cors.allow-credentials with a wildcard (*) in http.cors.allow-origin?
A: No, for security reasons, browsers will not allow credentials to be sent if the Access-Control-Allow-Origin header is set to *. You must specify exact origins when using allow-credentials.

Q: How does this setting affect Kibana or other Elasticsearch clients?
A: If your Kibana instance or other clients need to send credentials (like cookies) to Elasticsearch, you may need to enable this setting. However, ensure you understand the security implications and configure other CORS settings appropriately.

Q: Is this setting required for basic authentication in Elasticsearch?
A: Not necessarily. Basic authentication can work without this setting for same-origin requests. This setting is more relevant for scenarios where you need to send cookies or other credentials in cross-origin requests.

Q: How can I test if http.cors.allow-credentials is working correctly?
A: You can test this by making a CORS request from a different origin that includes credentials (e.g., using withCredentials: true in an AJAX request) and checking if the request succeeds and if the Access-Control-Allow-Credentials: true header is present in the response.

Pulse - Elasticsearch Operations Done Right

Stop googling errors and staring at dashboards.

Free Trial

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.