Elasticsearch http.cors.max-age Setting

Pulse - Elasticsearch Operations Done Right

On this page

Description Example Common Issues and Misuses Do's and Don'ts Frequently Asked Questions

The http.cors.max-age setting in Elasticsearch controls the maximum amount of time (in seconds) that browsers are allowed to cache the results of a CORS preflight request.

Description

  • Default value: 1728000 (20 days)
  • Possible values: Any positive integer
  • Recommendation: Use the default value unless you have specific requirements for CORS caching

This setting is part of Elasticsearch's Cross-Origin Resource Sharing (CORS) configuration. It determines how long browsers can cache the preflight response, which can help reduce the number of preflight requests and improve performance for cross-origin requests.

Example

To change the http.cors.max-age setting using the cluster settings API:

PUT /_cluster/settings
{
  "persistent": {
    "http.cors.max-age": 86400
  }
}

This example sets the CORS max-age to 86400 seconds (1 day). You might want to reduce this value if you frequently change your CORS configuration and need browsers to pick up these changes more quickly.

Common Issues and Misuses

  • Setting a very low value can lead to increased preflight requests, potentially impacting performance.
  • Setting a very high value might cause browsers to cache outdated CORS configurations for too long.

Do's and Don'ts

  • Do consider your CORS configuration change frequency when setting this value.
  • Don't set this to 0 unless you have a specific reason to disable caching of preflight responses.
  • Do ensure that http.cors.enabled is set to true for this setting to take effect.
  • Don't confuse this with the Access-Control-Max-Age header; this setting controls the value of that header.

Frequently Asked Questions

Q: How does the http.cors.max-age setting affect my Elasticsearch cluster?
A: This setting determines how long browsers cache CORS preflight responses. A longer max-age can reduce the number of preflight requests, potentially improving performance for cross-origin requests to your Elasticsearch cluster.

Q: Can I disable CORS preflight caching entirely?
A: Yes, you can set http.cors.max-age to 0, which will instruct browsers not to cache CORS preflight responses. However, this is generally not recommended as it can increase the number of preflight requests.

Q: How does this setting interact with other CORS settings in Elasticsearch?
A: This setting works in conjunction with other CORS settings like http.cors.enabled and http.cors.allow-origin. It specifically controls the caching duration of preflight responses, while other settings manage different aspects of CORS behavior.

Q: Is it safe to use the default value for http.cors.max-age?
A: In most cases, yes. The default value of 20 days is suitable for many scenarios. However, if you frequently change your CORS configuration, you might want to consider a shorter duration.

Q: How can I verify that the http.cors.max-age setting is working correctly?
A: You can use browser developer tools to inspect the Access-Control-Max-Age header in the preflight response from your Elasticsearch cluster. This header's value should match the http.cors.max-age setting you've configured.

Pulse - Elasticsearch Operations Done Right

Stop googling errors and staring at dashboards.

Free Trial

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.