Hello,
We have embedded Kibana dashboards in our application. if xpack security is enabled, we configure a nginx proxy so that the user viewing the dashboards can seamlessly access/view the dashboards without having to be prompted for credentials to login to Kibana. We do that by setting a rule in the proxy similar to this:
location / {
proxy_pass http://localhost:5601;
proxy_set_header Authorization "Basic $cookie_MY_KIBANA_COOKIE";
# CHANGE host and port
proxy_set_header Accept-Encoding ""; # no backend compression
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $server_name:8091;
}
Now, this can expose a vulnerability because:
"A username was detected either in the request query string or the Set-Cookie header. A username is considered sensitive private information that should be protected. Exposing a username in query strings or cookies can also leave it exposed in server logs, proxy logs, and network traffic inspection tools."
Question:
Aside from using a proxy, how do we allow our application users to be able to view the embedded Kibana dashboards without having to get prompted for Kibana Credentials? I welcome suggestions.
Thanks,
Anna