The first step in securing your cluster is to ensure that your app is accessing it via SSL. Always use secure HTTPS connections over port 9243. We still allow HTTP connections over port 9200, but we recommend against them and no longer list the HTTP endpoint on the cluster Overview page.
For Elasticsearch clusters before version 5.0, don’t forget to enable Shield. You also want to keep your cluster endpoint URLs safe, so that others will not be able to access unsecured clusters.
For a more detailed overview of security settings you must consider before you run Elasticsearch in production, read Securing Your Elasticsearch Cluster.