Unable to perform login on kibana throught browser javascript api call

We are trying without success to call the kibana (Elastic Cloud) login api api/security/v1/login on the browser with javascript.

The code is

method: "POST",
url: "https://XXXXXXXXXXXXXXXXXXX:9243/api/security/v1/login",
dataType: "json",
headers: { "kbn-xsrf": "6.6.2", 'Content-Type': 'application/json'},
data: { "username": 'user', "password": '123456' },
success: function (success) {
error: function (error) { console.log("error"); }

The error returned on browser is

Access to XMLHttpRequest at 'https://XXXXXXXXXXXXXXXXXXXXXXXX:9243/api/security/v1/login' from origin 'http://localhost:4000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Does anyone knows how to solve this problem?

Hi there!

In order to make requests across domains inside a browser, you'll need to enable CORS on the Kibana server. Unfortunately, this is not a documented configuration option, but it is supported.

Add server.cors: true to your kibana.yml in the Cloud dashboard. This should add the Access-Control-Allow-Origin: * header to all responses from Kibana. Note that this enables any webpage to access your Kibana API, though of course they'll still need valid credentials if you're using Security.

We tried to set this configuration server.cors: true to our kibana.yml on the elastic cloud deployment but the Activity page shows the following error:

'server.cors': is not allowed

Please, what are we doing wrong?

It looks like we disallow this option in Elastic Cloud. Reach out to Cloud Support, they may be able to enable this setting for you.

If not, you will need to set up a proxy server (eg. nginx) in front of your Kibana server to add these headers. Though before doing that, you may want to explore other options. What is it that you're trying to develop?

Hello Josh,

We want to show the kibana dashboard on a elixir/phoenix aplication of ours. The dashboard will be shown on a iframe tag.

Ok, we will try some more to set the the server.cors option, and reach out the cloud support if necessary.

Thank you very much.

Got it! This thread here may be helpful. You can setup a nginx server that adds Authorization headers for a specific user to auto-authenticate requests. This is likely more secure than embedding credentials in your client-side code.

If this a public-facing site, I definitely recommend using credentials for a user with the kibana_dashboard_only_user role so they cannot modify any Kibana data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.