Security Settings in Kibanaedit

You do not need to configure any additional settings to use X-Pack security in Kibana. It is enabled by default.

General Security Settingsedit

xpack.security.enabled

By default, Kibana automatically detects whether to enable the security features based on the license and whether Elasticsearch security features are enabled.

Do not set this to false; it disables the login form, user and role management screens, and authorization using Kibana privileges. To disable security features entirely, see Elasticsearch security settings.

xpack.security.audit.enabled
Set to true to enable audit logging for security events. By default, it is set to false. For more details see Audit Logging.
xpack.security.authorization.legacyFallback.enabled
Set to true (default) to enable the legacy fallback. See Authorization for more details.

User Interface Security Settingsedit

You can configure the following settings in the kibana.yml file:

xpack.security.cookieName
Sets the name of the cookie used for the session. The default value is "sid"
xpack.security.encryptionKey
An arbitrary string of 32 characters or more that is used to encrypt credentials in a cookie. It is crucial that this key is not exposed to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts.
xpack.security.secureCookies
Sets the secure flag of the session cookie. The default value is false. It is set to true if server.ssl.certificate and server.ssl.key are set. Set this to true if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy).
xpack.security.sameSiteCookies
Sets the SameSite attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context. Valid values are Strict, Lax, None. This is not set by default, which modern browsers will treat as Lax. If you use Kibana embedded in an iframe in modern browsers, you might need to set it to None. Setting this value to None requires cookies to be sent over a secure connection by setting xpack.security.secureCookies: true. Some old versions of IE11 do not support SameSite: None.
xpack.security.sessionTimeout
Sets the session duration (in milliseconds). By default, sessions stay active until the browser is closed. When this is set to an explicit timeout, closing the browser still requires the user to log back in to Kibana.
xpack.security.loginAssistanceMessage
Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc.