Security Settings in Kibanaedit

You do not need to configure any additional settings to use X-Pack security in Kibana. It is enabled by default.

General Security Settingsedit

xpack.security.enabled

Set to true (default) to enable X-Pack security.

Do not set this to false. To disable X-Pack security entirely, see Elasticsearch Security Settings.

If set to false in kibana.yml, the login form, user and role management screens, and authorization using Kibana privileges are disabled.

xpack.security.audit.enabled
Set to true to enable audit logging for security events. This is set to false by default. For more details see Audit Logging.
xpack.security.authorization.legacyFallback
Set to true (default) to enable the legacy fallback. See Authorization for more details.

User Interface Security Settingsedit

You can configure the following settings in the kibana.yml file:

xpack.security.cookieName
Sets the name of the cookie used for the session. The default value is "sid"
xpack.security.encryptionKey
An arbitrary string of 32 characters or more that is used to encrypt credentials in a cookie. It is crucial that this key is not exposed to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts.
xpack.security.secureCookies
Sets the secure flag of the session cookie. The default value is false. It is set to true if server.ssl.certificate and server.ssl.key are set. Set this to true if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy).
xpack.security.sessionTimeout
Sets the session duration (in milliseconds). By default, sessions stay active until the browser is closed.