Security provides AAA for the cluster. In a two(or three)-tier application, the end user doesn't have direct access to the ES cluster. The Web (or application) server sits in-between the user and ES.
AAA does not solve the injection vulnerability problem, because the user sends its parameters to the webserver, and the server constructs the request on the end-users behalf. We are trying to prevent the end-user from modifying that request.
So, is there an API function to perform input validation/sanitization on user input?