Why doesn't Kibana need CORS on ES to be configured?

I just built a very basic web page that sends HTTP requests to an ES instance running locally and I noticed I needed to setup CORS on the ES instance for the requests to work, specifically I needed to add these lines to elasticsearch.yml:

http.cors.enabled: true
http.cors.allow-origin: \"*\"
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: X-Requested-With,X-Auth-Token,Content-Type, Content-Length 

However I noticed that without the above lines, Kibana works fine. Even though it's also running locally and connecting to a local ES node. Why does Kibana work and not my web page?

I’m guessing at the protocols involved but I assume as a safety measure your browser would always send some kind of header to elasticsearch if you visited ‘dodgy domain.com’ and the JavaScript in that site was trying to call localhost:9200 directly from your browser. The default configured elasticsearch server would see your browsers header and reject that request. You can change the config to whitelist certain domains that originally served the calling JavaScript but setting to “*” to whitelist all domains would be unwise.

When you’re using kibana your browser does not talk to elasticsearch directly - the kibana server acts as a proxy. The Kibana server talks to elasticsearch on your behalf and it doesn’t pass the header that states the request has come from a potentially untrustworthy source. The assumption is the es client code running in the Kibana server is trusted and not some potentially rogue code loaded from the internet.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.