Unable to execute POST request to Kibana


I've built a UI that executes REST API for creating user, role, and a space in Kibana.
But, the POST requests fail due to CORS poilicy:

In the kibana.yml I have the following:
server.cors: true
server.cors.origin: ["*"]

I am using Elastic Stack 7.5.1

Please advise.


I would appreciate your help. It is a blocker for me.

Hello @peternijem

I don't see documentation for the configurations you cite. Can you show me where you found them? Do you intend to send the request to Kibana or Elasticsearch?

Hi @mattkime

Yeah maybe I grabbed these configurations from documentation of older Kibana release:
server.cors: true
server.cors.origin: ["*"]

Anyway, what I am trying to achieve is really simple. We have deployed open-source Kibana 7.5.1 and I want to trigger POST/PUT endpoints for creating Space, Role, User etc.
This is part of some web-application project. When I try to create a Space for example, I get the error I mentioned above. It is CORS issue. Apparently Kibana is not allowing cross-origin requests.
The questions is: how can I enable it? I have access to kibana.yml and Kibana code.

Please assist here because it is a major blocker for the use of Kibana in production.

REST API for creating a space on Kibana 7.5:

I see there is server.xsrf.whitelist configuration that may help (https://www.elastic.co/guide/en/kibana/7.5/settings.html). But I am not sure how to do so.

Maybe also server.xsrf.disableProtection: true? (documentation is bad :frowning: )
Anyway, I am sending on my request the header kbn-xsrf: true



Tried all the following:

  1. server.cors: true
    server.cors.origin: ["*"]

  2. server.xsrf.whitelist: ["/api/spaces/space"]

  3. server.xsrf.disableProtection: true

Nothing helped. I am still getting the same error when trying to execute POST request to /api/spaces/space

I have no other idea. Please assist

I suspect those options were removed to increase the security of kibana.

You have a couple of options -

  1. place your app behind the same domain as kibana
  2. develop a kibana plugin
  3. use a use a proxy to forward requests to kibana

Thanks. But, as I've said already Kibana's documentation is bad.
Most of the configurations I've tried are part of Kibana 7.5 official documentation.
Please update your documentation. This will save users/developers lots of precious time.


BTW, how come I don't have this issue with GET requests?
In my app I mentioned before, I can execute GET requests without any issue. But neither POST or PUT.

Most of the configurations I've tried are part of Kibana 7.5 official documentation.
Please update your documentation. This will save users/developers lots of precious time.

Can you be more specific about what is incorrect about the documentation? Here's a link to the 7.5 configuration docs - https://www.elastic.co/guide/en/kibana/7.5/settings.html

For instance, I can see server.xsrf.whitelist configuration. It is part of the documentation. It is always good to add an example of how to use each property. In my case, I've added as such:
server.xsrf.whitelist: ["/api/spaces/space"]
But it didn't help. Not sure why. Can you maybe assist me with that? Is it even the right direction for overcoming my issue?

Another example, it's the documentation of using REST API of Kibana 7.5. Here: https://www.elastic.co/guide/en/kibana/7.5/using-api.html#api-request-headers

server.xsrf.disableProtection configuration is mentioned although it is not on the page you've sent. So documentation is inconsistent.

I am pretty sure there is another solution for my issue. Especially taking into consideration that GET requests are working as expected.
Only the third option is feasible in my case but requires more work from other teams.
I really prefer to fix this issue on my side only without additional requirements and complications.

Can you post a HAR file showing succeeding and failing request attempts? I think starting with server.xsrf.disableProtection: true makes sense

I created the following issue regarding documentation - https://github.com/elastic/kibana/issues/76017

Yeah but server.xsrf.disableProtection: true didn't help.

With which configuration of Kibana you want me to record the requests sent from my app?

Start with server.xsrf.disableProtection: true - it seems it should work.


I've tried what you've suggested. Now even GET requests don't work!

This is one of the GET requests I use:

Below is the error from the console:
app:1 Access to XMLHttpRequest at '' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Below is the link for the HAR file which includes the GET and POST requests:

Hey @peternijem,

Sorry you're having a hard time with cross-origin requests to Kibana.

I see in the HAR file that you're making a request to POST

Is this your Kibana endpoint? If so, the API to create a user in 7.5 is /api/security/v1/users/{username} (source link).

I also see a request to, which is returning a 404. Do you have security enabled for Kibana? If so, what user are you authenticating with? If the user does not have sufficient privileges (effectively the kibana_user role), then this endpoint can return a 404.

I know you tried a lot of config combinations. Does the following help any?

server.cors: true
# do not set server.cors.origin

server.xsrf.disableProtection: true

I will try it.
Can I change any part in the code to enable CORS?
FYI, I am using open-source Kibana 7.5.1


Can you clarify this? If you're using the Apache-2.0 licensed version of Kibana, then your installation doesn't have the concept of a User, Role, or Space. These are all free features available with the "Default Distribution", which is granted under the Elastic License.

Do you see the "Space Avatar" at the top of Kibana?

If so, then you're running the Default Distribution, rather than the Open Source Distribution.

Setting server.cors: true should be sufficient to allow browsers to honor cross-origin requests. Setting server.xsrf.disableProtections: true should be sufficient to tell Kibana that you don't wish to protect the installation from cross-site request forgery. This should be a short-term solution, until we get it working. Then, we can move to the whitelist that you attempted earlier.

I see the Space Avatar. We've cloned Kibana 7.5.1 from the official GitHub page.

Thanks for clarifying. We don't recommend cloning the repository unless you're developing a Kibana plugin. If you're just looking to run Kibana, then I'd recommend downloading the built distributable here: https://www.elastic.co/downloads/past-releases/kibana-7-5-1

That aside, let me know how you make out with my earlier recommendation.