How to protect dashboard url from eavesdroping?


(張皓翔) #1

Hi, I embed the dashboard iframe to a custom web page, but I am afraid that the url is eavesdroping if some people with bad intentions get the url directly. But I don't want users key in the password every time when the person login to the custom web page.How can I do?

thank you in advance!


(張皓翔) #2

I have installed x-pack, and I found that every time I log in I need to retype account and password.
I think it's a little inconvenient for users.


(Brandon Kobel) #3

Hi, I embed the dashboard iframe to a custom web page, but I am afraid that the url is eavesdroping if some people with bad intentions get the url directly. But I don't want users key in the password every time when the person login to the custom web page.How can I do?

Is there specific information that you're not wanting to disclose via the URL that you're using with the iframe?

I have installed x-pack, and I found that every time I log in I need to retype account and password.
I think it's a little inconvenient for users.

We store the login information in a cookie that by default doesn't timeout but it is tied to the browser's session storage, so if you close down the browser and re-open it then you'll have to log back in. Do you have xpack.security.sessionTimeout set in your Kibana.yml?


(張皓翔) #4

ok, I got it .
Just hope when I enter my external page and load kibana iframe, it needn't type the account and password, and other people can't directly enter the kibana url.


(Brandon Kobel) #5

@f26227279 if you have security enabled in Kibana/Elasticsearch, users will always have to login to be able to use Kibana/Elasticsearch, even if Kibana is in an iframe.

If you'd like to embed a secured instance of Kibana in an iframe and not require users to login, you can create a user that has read-only access to Kibana and put a reverse-proxy in-front of Kibana that provides the username/password through Basic Auth header as discussed here


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.