IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Configure Cross-Origin Resource Sharing (CORS)
editConfigure Cross-Origin Resource Sharing (CORS)
editThere are two options to handle CORS headers in Elastic Cloud Enterprise:
-
Elastic Cloud Enterprise proxy handles the responses to CORS headers.
- It is default behavior in Elastic Cloud Enterprise 2.x,
- It is Deprecated in Elastic Cloud Enterprise 2.9+,
- It will be removed in Elastic Cloud Enterprise 3.x.
-
Elastic Cloud Enterprise relies on Elastic Stack components to handle the CORS headers.
- This will be the default behavior in Elastic Cloud Enterprise 3.x.
Elastic Cloud Enterprise proxy generates open, but potentially unsafe Access-Control-Allow-Origin
in each response. It reflects the Host
header of the request back to the client:
curl -i -u "$AUTH" -H "Origin: example.com" "https://${CLUSTER_ID}.${ECE_URL}:9243" .. Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Authorization, Content-Type, Origin, Accept, X-Requested-With Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, POST, PUT Access-Control-Allow-Origin: example.com ..
This behavior is convenient, as it requires no extra setup for embedding the Elastic Stack in other webpages. It may be considered insecure.
In contrast, Elastic Stack by default returns no CORS headers:
curl -i -u "$AUTH" -H "Origin: example.com" "https://${CLUSTER_ID}.${ECE_URL}:9243" .. # No Access-Control-Allow-* headers ..
See the Elastic Stack documentation to learn how to allow cross origin requests.