It seems like Kibana calls ES APIs directly from the browser, through a proxified ES endpoint (e.g.,
/kibana/elasticsearch/_mget...). That Kibana ES proxy allows accessing any ES URL, including plugins (e.g., /kibana/elasticsearch/_plugin/kopf/#!/cluster).
This makes it hard to make Kibana secured and "read-only" using a reverse proxy (for those not opting for Shield), and prevent users from calling ES APIs directly (even though they are proxified by Kibana).
I know that Grafana has a setting "Access" with options:
Proxy = access via Grafana backend, Direct = access directory from browser.
Would not that be possible to have a similar option in Kibana, so Kibana would do server-to-server calls to ES APIs, without exposing all ES functions to end-users?