Elasticsearch http.cors.allow-headers Setting

Pulse - Elasticsearch Operations Done Right

On this page

Description Example Common Issues or Misuses Do's and Don'ts Frequently Asked Questions

The http.cors.allow-headers setting in Elasticsearch controls which HTTP headers are allowed in cross-origin resource sharing (CORS) requests. It is part of Elasticsearch's CORS configuration and helps define which headers can be used when a web application from a different origin makes requests to your Elasticsearch cluster.

Description

  • Default value: X-Requested-With, Content-Type, Content-Length, Authorization
  • Possible values: A comma-separated list of HTTP header names
  • Recommendations: Include only the headers necessary for your application to function properly while maintaining security

This setting is used in conjunction with other CORS-related settings to configure how Elasticsearch responds to cross-origin requests. It's particularly important when you have web applications hosted on different domains that need to interact with your Elasticsearch cluster directly from the browser.

Example

To add a custom header to the allowed list, you can use the cluster settings API:

PUT /_cluster/settings
{
  "persistent": {
    "http.cors.allow-headers": "X-Requested-With, Content-Type, Content-Length, Authorization, My-Custom-Header"
  }
}

In this example, we've added My-Custom-Header to the list of allowed headers. This change might be necessary if your application uses a custom header for authentication or to pass specific information to Elasticsearch.

Common Issues or Misuses

  • Overly permissive configuration: Allowing too many headers can potentially expose your cluster to security risks.
  • Forgetting to enable CORS: The http.cors.allow-headers setting has no effect if http.cors.enabled is not set to true.
  • Misconfiguration leading to CORS errors: If required headers are not included, browser requests may fail due to CORS restrictions.

Do's and Don'ts

  • Do carefully consider which headers are necessary for your application.
  • Do use this setting in conjunction with other CORS settings for a complete CORS configuration.
  • Don't include sensitive headers that could expose security information.
  • Don't set this to * (wildcard) as it allows any header and may pose security risks.
  • Do test your CORS configuration thoroughly after making changes.

Frequently Asked Questions

Q: How does http.cors.allow-headers relate to the Access-Control-Allow-Headers response header?
A: The http.cors.allow-headers setting determines the content of the Access-Control-Allow-Headers response header sent by Elasticsearch in response to CORS preflight requests.

Q: Can I use wildcards in the http.cors.allow-headers setting?
A: No, wildcards are not supported for this setting. You must explicitly list each allowed header.

Q: How do I allow all headers without specifying them individually?
A: While not recommended for security reasons, you can set http.cors.allow-headers to * to allow all headers. However, this should be done with caution and only in controlled environments.

Q: Will changing http.cors.allow-headers affect existing connections?
A: Changes to this setting take effect immediately for new requests, but existing connections may continue to use the previous configuration until they are closed.

Q: Is http.cors.allow-headers case-sensitive?
A: Header names in HTTP are case-insensitive, so the values in http.cors.allow-headers are also treated as case-insensitive. However, it's a good practice to use the canonical capitalization for clarity.

Pulse - Elasticsearch Operations Done Right

Stop googling errors and staring at dashboards.

Free Trial

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.