Header value/HTMLRequest blocked by CORS policy (CORs in Elasticsearch)


Currently I am facing an issue with CORs not allowing an XMLHTTPRequest from my localhost (when using a header) to my Public Internet URL for Kibana. The error message when making a call to my public URL using a this header:

const headers = new HttpHeaders({
      'kbn-xsrf' : '6.5.4'


Access to XMLHttpRequest at 'https://<URL>.drlteam.net/api/security/v1/login' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

But if I make a call without a header the message is:

HttpErrorResponse {headers: HttpHeaders, status: 400, statusText: "Bad Request", url: "https://<URL>/api/security/v1/login", ok: false, …}
error: {statusCode: 400, error: "Bad Request", message: "Request must contain a kbn-xsrf header."}
headers: HttpHeaders {normalizedNames: Map(0), lazyUpdate: null, lazyInit: ƒ}
message: "Http failure response for https://<URL>/api/security/v1/login: 400 Bad Request"
name: "HttpErrorResponse"
ok: false
status: 400
statusText: "Bad Request"
url: "https://<URL>/api/security/v1/login"
__proto__: HttpResponseBase

The settings in our elasticsearch.yml(s) are:

http.cors.enabled: true
http.cors.allow-origin: "http://localhost:4200"
http.cors.allow-credentials: true
http.cors.allow-headers: Authorization, kbn-xsrf

Not sure where to go from here. Any assistance would be great.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.