In the current docs, we show do not really explain the ramifications of changing elasticsearch.requestHeadersWhitelist.
https://www.elastic.co/guide/en/kibana/current/settings.html
elasticsearch.requestHeadersWhitelist:
Default: [ 'authorization' ] List of Kibana client-side headers to send to Elasticsearch. To send no client-side headers, set this value to [] (an empty list).
This is further compounded by the example kibana.yml showing a similar comment:
|
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side |
|
# headers, set this value to [] (an empty list). |
|
#elasticsearch.requestHeadersWhitelist: [ authorization ] |
It sounds a lot more secure to send no headers, but it means that you can never authenticate a request against an instance of Elasticsearch that requires Basic Authentication.
We should probably note that removing the authorization header from being whitelisted means that you cannot use Basic Authentication from Kibana.
In the current docs, we show do not really explain the ramifications of changing
elasticsearch.requestHeadersWhitelist.https://www.elastic.co/guide/en/kibana/current/settings.html
This is further compounded by the example
kibana.ymlshowing a similar comment:kibana/config/kibana.yml
Lines 68 to 70 in 39994b4
It sounds a lot more secure to send no headers, but it means that you can never authenticate a request against an instance of Elasticsearch that requires Basic Authentication.
We should probably note that removing the
authorizationheader from being whitelisted means that you cannot use Basic Authentication from Kibana.