It is time to say goodbye: This version of Elastic Cloud Enterprise has reached end-of-life (EOL) and is no longer supported.
The documentation for this version is no longer being maintained. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Configure Cross-Origin Resource Sharing (CORS)
editConfigure Cross-Origin Resource Sharing (CORS)
editThere are two options to handle CORS headers in Elastic Cloud Enterprise:
-
Elastic Cloud Enterprise proxy handles the responses to CORS headers.
- It is default behavior in Elastic Cloud Enterprise 2.x,
- It is Deprecated in Elastic Cloud Enterprise 2.9+,
- It will be removed in Elastic Cloud Enterprise 3.x.
-
Elastic Cloud Enterprise relies on Elastic Stack components to handle the CORS headers.
- This will be the default behavior in Elastic Cloud Enterprise 3.x.
Elastic Cloud Enterprise proxy generates open, but potentially unsafe Access-Control-Allow-Origin in each response. It reflects the Host header of the request back to the client:
curl -i -u "$AUTH" -H "Origin: example.com" "https://${CLUSTER_ID}.${ECE_URL}:9243"
..
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Authorization, Content-Type, Origin, Accept, X-Requested-With
Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, POST, PUT
Access-Control-Allow-Origin: example.com
..
This behavior is convenient, as it requires no extra setup for embedding the Elastic Stack in other webpages. It may be considered insecure.
In contrast, Elastic Stack by default returns no CORS headers:
curl -i -u "$AUTH" -H "Origin: example.com" "https://${CLUSTER_ID}.${ECE_URL}:9243"
..
# No Access-Control-Allow-* headers
..
See the Elastic Stack documentation to learn how to allow cross origin requests.