How to Restrict Enterprise Search to a specific Domain Origin


We just set up enterprise search for our website. We use the query suggestion api (/api/as/v1/engines/{ENGINE_NAME}/query_suggestion) on our frontend.

Since our endpoint and public key are exposed, how can we restrict so that the api only allows requests from our domain?

I tried to set up CORS by adding these two lines to elasticsearch.yml

http.cors.enabled: true

But it doesn't seem to work. I can still access the api from another domain.

What's the right way to restrict the origin?


Great question! I wish I had a great answer. Right now, there's no out-of-the-box support for this feature in Enterprise Search. You might be able to achieve this by proxying requests through nginx (or similar) and configuring CORS on that level.

Great, thanks for the suggestion. Latency might be an issue but I'll have to give it a try to know

Latency should not be a huge issue as long as the proxy is located near the Enterprise Search cluster. If you're running a self-managed deployment, running in the same VM or, at least, the same availability zone is recommended. For Elastic Cloud deployments, I'd recommend using the same cloud provider and the same region as your deployment. Then the extra latency should be sub-1ms.

I've also filed an internal enhancement request for potentially adding this Enterprise Search config option in the future. Thanks so much for the suggestion @MCL!