ES cors enabling in ES 2.2


(vinay) #1

Elasticsearch by default will not allow cross domain requests.we have to enable CORS (Cross-Origin Resource Sharing) in Elasticsearch configuration file.

I want to try get ES data directly as REST API from javascript front layer. I want to ask, is there any disadvantage of using it ES cors enabling. Or we should make some middle layer to change the header.

Looking forward for your input.


(Tim Vernum) #2

Enabling CORS will explicitly loosen the security protections that are provided in a browser based environment.

By its very nature, it makes the data you have stored in elasticsearch available in more contexts. A naive configuration of CORS would allow any websites to query your data. A more considered configuration may be secure depending on your environment.

It is impossible for us to perform that risk assessment on your behalf. CORS is disabled by default because that is the only reliable secure setting, but if you are careful and make well-considered choices when enabling CORS, that can be secure as well.

I want to try get ES data directly as REST API from javascript front layer.

We do not generally recommend that approach. If this is a private network, then you can make it work, but we would discourage it.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.