Elasticsearch by default will not allow cross domain requests.we have to enable CORS (Cross-Origin Resource Sharing) in Elasticsearch configuration file.
I want to try get ES data directly as REST API from javascript front layer. I want to ask, is there any disadvantage of using it ES cors enabling. Or we should make some middle layer to change the header.
Enabling CORS will explicitly loosen the security protections that are provided in a browser based environment.
By its very nature, it makes the data you have stored in elasticsearch available in more contexts. A naive configuration of CORS would allow any websites to query your data. A more considered configuration may be secure depending on your environment.
It is impossible for us to perform that risk assessment on your behalf. CORS is disabled by default because that is the only reliable secure setting, but if you are careful and make well-considered choices when enabling CORS, that can be secure as well.
I want to try get ES data directly as REST API from javascript front layer.
We do not generally recommend that approach. If this is a private network, then you can make it work, but we would discourage it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.