NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Security Settings in Kibana
editSecurity Settings in Kibana
editYou do not need to configure any additional settings to use X-Pack security in Kibana. It is enabled by default.
General Security Settings
edit-
xpack.security.enabled
-
By default, Kibana automatically detects whether to enable the security features based on the license and whether Elasticsearch security features are enabled.
Do not set this to
false
; it disables the login form, user and role management screens, and authorization using Kibana privileges. To disable security features entirely, see Elasticsearch security settings. -
xpack.security.audit.enabled
-
Set to
true
to enable audit logging for security events. By default, it is set tofalse
. For more details see Audit Logging. -
xpack.security.authorization.legacyFallback.enabled
-
Set to
true
(default) to enable the legacy fallback. See Authorization for more details.
User Interface Security Settings
editYou can configure the following settings in the kibana.yml
file:
-
xpack.security.cookieName
-
Sets the name of the cookie used for the session. The default value is
"sid"
-
xpack.security.encryptionKey
- An arbitrary string of 32 characters or more that is used to encrypt credentials in a cookie. It is crucial that this key is not exposed to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts.
-
xpack.security.secureCookies
-
Sets the
secure
flag of the session cookie. The default value isfalse
. It is set totrue
ifserver.ssl.certificate
andserver.ssl.key
are set. Set this totrue
if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy). -
xpack.security.sameSiteCookies
-
Sets the
SameSite
attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context. Valid values areStrict
,Lax
,None
. This is not set by default, which modern browsers will treat asLax
. If you use Kibana embedded in an iframe in modern browsers, you might need to set it toNone
. Setting this value toNone
requires cookies to be sent over a secure connection by settingxpack.security.secureCookies: true
. Some old versions of IE11 do not supportSameSite: None
. -
xpack.security.sessionTimeout
- Sets the session duration (in milliseconds). By default, sessions stay active until the browser is closed. When this is set to an explicit timeout, closing the browser still requires the user to log back in to Kibana.
-
xpack.security.loginAssistanceMessage
- Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc.