This topic describes how to configure cross-origin resource sharing (CORS) for Alibaba Cloud Elasticsearch. CORS can be configured to allow browsers on other origins to access your clusters.

  • The configuration items in the following table are custom configurations provided by Elasticsearch to support HTTP.
  • The configuration items in the following table support only static configuration. For the configurations to take effect, you must add the configurations to the elasticsearch.yml file.
  • The configuration items in the following table depend on the network settings of an Elasticsearch cluster.
Configuration item Description
http.cors.enabled The CORS configuration item. This item is used to specify whether to allow browsers on other origins to access Elasticsearch. Valid values: true and false.
  • If you set the value to true, CORS is enabled, and then Elasticsearch can process OPTIONS CORS requests. If the origin in a request is declared in http.cors.allow-origin, Elasticsearch returns a response that has the Access-Control-Allow-Origin header included.
  • The default value is false. If you set the value to false, CORS is disabled. In this case, Elasticsearch ignores the origin in the request header and returns a response that does not have the Access-Control-Allow-Origin header included. If a client cannot send a pre-flight request that has origin information included in the request header or does not validate the Access-Control-Allow-Origin header in the response that is returned from the server, the cross-origin security is compromised. If CORS is disabled for Elasticsearch, a client can only send an OPTIONS request to check whether the Access-Control-Allow-Origin header exists.

The origin configuration item. This item specifies the origins from which requests are allowed. By default, no origin is allowed.

If you add a forward slash (/) to the start and end of the value, this item is treated as a regular expression. This allows you to use regular expressions to support HTTP and HTTPS requests. For example, /https?:\/\/localhost(:[0-9]+)? / indicates that Elasticsearch responds to all requests that match the regular expression.

Note The asterisk (*) is a valid character but considered as a security risk because it indicates that an Elasticsearch cluster is open to all origins. We recommend that you do not use asterisks.
http.cors.max-age Browsers can send OPTIONS requests to query the CORS configuration. This item specifies the cache time of the retrieved CORS configuration. The default value is 1728000 seconds (20 days).
http.cors.allow-methods The item that is used to configure the request method. Valid values: OPTIONS, HEAD, GET, POST, PUT, and DELETE.
http.cors.allow-headers The item that is used to configure the request header. Valid values: X-Requested-With, Content-Type, and Content-Length.
http.cors.allow-credentials The credential configuration item. This item specifies whether Elasticsearch is allowed to return the Access-Control-Allow-Credentials header. The default value is false, which indicates that Elasticsearch is not allowed to return the header. You can set the value to true. This allows Elasticsearch to return the header.