Cors in Kibana

Hi Everyone,

We have a problem when we want to get the cookie from Kibana 7.10.0.
We have two scenarios:

  • If we don´t use the credentials: true, In the header response we have the set-cookie attribute but the browser doesn't put it.

  • If we use the credentials: true, we obtain the CORS error.

We need to set up the cookie avoid to the login for the user.


@Larry_Gregory / @jportner can you throw some light on this please when you get a chance ?


@seba_galban I'll start off by saying the internal APIs (such as the login API) are explicitly not supported for use outside of Kibana, and they can break at any time.

Are you running Kibana from source? Additional cors settings were technically available prior to 7.11, but only when running in dev mode (

If you aren't running from source, how are you setting the Access-Control-Allow-Credentials: true header? Are you using the server.customResponseHeaders Kibana config option? We did not add support for configuring CORS in a granular manner until Kibana 7.11 (align cors settings names with elasticsearch by restrry · Pull Request #85738 · elastic/kibana · GitHub).

What is the end goal you are trying to achieve? If you want to embed Kibana in another webpage, and/or allow anonymous access in Kibana, I would suggest upgrading to 7.11 where this is supported as a first-class feature (What’s new in 7.11 | Kibana Guide [7.11] | Elastic).

Thanks @jportner for your reply. We are using ELK stack from source and we want to allow anonymous access in Kibana. We are following your advice and we will try the new version.


Great, I hope it works out for you!

I just want to mention that we suggest no one run from source in production. We make a lot of assumptions and trade-offs while in developer mode, for example we only support the most recent version of Chrome/Firefox among lots of other things.

If you don't need to change any of the code, you should download the distribution and run that. Otherwise, you should create a build and run that instead!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.