Configure Cross-Origin Resource Sharing (CORS)edit

There are two options to handle CORS headers in Elastic Cloud Enterprise:

  1. Elastic Cloud Enterprise proxy handles the responses to CORS headers.

    • It is default behavior in Elastic Cloud Enterprise 2.x,
    • It is Deprecated in Elastic Cloud Enterprise 2.9+,
    • It will be removed in Elastic Cloud Enterprise 3.x.
  2. Elastic Cloud Enterprise relies on Elastic Stack components to handle the CORS headers.

    • This will be the default behavior in Elastic Cloud Enterprise 3.x.

Elastic Cloud Enterprise proxy generates open, but potentially unsafe Access-Control-Allow-Origin in each response. It reflects the Host header of the request back to the client:

curl -i -u "$AUTH" -H "Origin:" "https://${CLUSTER_ID}.${ECE_URL}:9243"
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Authorization, Content-Type, Origin, Accept, X-Requested-With
Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, POST, PUT

This behavior is convenient, as it requires no extra setup for embedding the Elastic Stack in other webpages. It may be considered insecure.

In contrast, Elastic Stack by default returns no CORS headers:

curl -i -u "$AUTH" -H "Origin:" "https://${CLUSTER_ID}.${ECE_URL}:9243"
# No Access-Control-Allow-* headers

See the Elastic Stack documentation to learn how to allow cross origin requests.