Embedding Kibana in Company Portal – CORS and Iframe Customization on Elastic Cloud

We’re currently working on embedding Kibana dashboards (hosted on Elastic Cloud) into our internal company portal via an iframe, and we’re running into a couple of key challenges:
CORS issues:
Kibana and our portal are hosted on different domains, and browser CORS policies are blocking XHR/fetch calls within the embedded iframe. I’ve seen discussions about updating the kibana.yml file, but I believe we don't have that flexibility since we're using Elastic Cloud.

Is there any way to configure settings like xpack.security.sameSiteCookies, basePath, etc., in a cloud-hosted Kibana environment?

Iframe Styling Limitations:
Due to the Same-Origin Policy, we’re unable to style or modify the Kibana iframe (e.g., apply branding or CSS changes).

  • Are there any Elastic-supported options to customize the embedded Kibana UI?
  • Is using a reverse proxy a viable solution in Elastic Cloud?

When testing locally, it seemed like we would need to reverse proxy all requests Kibana makes, which may be complex.

Any guidance on best practices for securely embedding Kibana with support for custom branding would be greatly appreciated.

1 Like

You can configure Kibana settings (such as xpack.security.sameSiteCookies) in Elastic Cloud Console. See Edit Stack Settings for more info.

We also have a "How to embed Kibana Dashboards" blog post that provides tips.

1 Like

Thank you. Setting xpack.security.sameSiteCookies: None now allows iframe authentication
Aware that relying on sameSiteCookies: None comes with security and browser compatibility issues. What’s the recommended approach for securely embedding Elastic Cloud Kibana dashboards in a production environment? Are SAML/OIDC SSO or API-key-based solutions preferred?