I have set up a Node.JS website that shows dashboards in embedded iframe. It uses basic authentication and reverse proxy to Kibana 5 using NGINX. So it's secure.
This website uses embedded iframes and looks pretty cool. Just as I wanted. So the iframe has source something like below:
http://kibana_url:3002/app/kibana#/dashboard/My-Awesome-Dashboard?embed=true
But since this link is in the client code, I don't want any smart users to figure out that removing "embed=true" from the querystring will take them directly into the Kibana page with all the admin options enabled bypassing my awesome Node JS application's way of restricting which user should see which dashboard. 
I want any requests that does not contain "embed=true" to be denied from the proxy server or Kibana settings. I'm hoping this would be possible in NGINX configuration file. But I cannot figure out how. Because "embed=true" is part of querystring but not route. Or is this possible in Kibana settings somehow?
So for requests like below I want to return 403 Forbidden.
- http://kibana_url:3002/app/kibana#/dashboard/My-Awesome-Dashboard
- http://kibana_url:3002/app/kibana#/discover?_g=()
- http://kibana_url3002/app/kibana#/management?_g=()
etc.
I have configured port 3002 to reverse proxy port 5601 in NGINX as below:
server {
listen 3002;
server_name localhost;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
location ~ (/app/|/kibana/|/kibana5/|/ui/|/api/|/es_admin/|/elasticsearch/|/bundles/|/status|/plugins) {
proxy_pass http://localhost:5601;
}
}