I just built a very basic web page that sends HTTP requests to an ES instance running locally and I noticed I needed to setup CORS on the ES instance for the requests to work, specifically I needed to add these lines to
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: X-Requested-With,X-Auth-Token,Content-Type, Content-Length
However I noticed that without the above lines, Kibana works fine. Even though it's also running locally and connecting to a local ES node. Why does Kibana work and not my web page?
When you’re using kibana your browser does not talk to elasticsearch directly - the kibana server acts as a proxy. The Kibana server talks to elasticsearch on your behalf and it doesn’t pass the header that states the request has come from a potentially untrustworthy source. The assumption is the es client code running in the Kibana server is trusted and not some potentially rogue code loaded from the internet.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.