- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.7
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Add comment
- Create case
- Delete cases
- Delete comments
- Find case activity
- Find cases
- Find connectors
- Get alerts
- Get case activity
- Get case
- Get case status
- Get cases by alert
- Get comments
- Get configuration
- Get reporters
- Get tags
- Push case
- Set configuration
- Update cases
- Update comment
- Update configuration
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Osquery manager API
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Developer guide
Security production considerations
editSecurity production considerations
editTo secure your Kibana installation in production, consider these high-priority topics to ensure that only authorized users can access Kibana. For more information on Kibana’s security controls, see Configure security.
Enable SSL/TLS
editYou should use SSL/TLS encryption to ensure that traffic between browsers and the Kibana server cannot be viewed or tampered with by third parties. See encrypt HTTP client communications for Kibana.
encrypt-kibana-http
Use Elastic Stack security features
editYou can use Elastic Stack security features to control what Elasticsearch data users can access through Kibana.
When security features are enabled, Kibana users have to log in. They must have a role granting Kibana privileges and access to the indices that they will be working with in Kibana.
If a user loads a Kibana dashboard that accesses data in an index that they are not authorized to view, they get an error that indicates the index does not exist.
For more information on granting access to Kibana, see Granting access to Kibana.
Use secure HTTP headers
editThe Kibana server can instruct browsers to enable additional security controls using HTTP headers.
-
Enable HTTP Strict-Transport-Security.
Use
strictTransportSecurity
to ensure that browsers will only attempt to access Kibana with SSL/TLS encryption. This is designed to prevent manipulator-in-the-middle attacks. To configure this with a lifetime of one year in yourkibana.yml
:server.securityResponseHeaders.strictTransportSecurity: "max-age=31536000"
This header will block unencrypted connections for the entire domain. If you host more than one web application on the same domain using different ports or paths, all of them will be affected.
-
Disable embedding.
Use
disableEmbedding
to ensure that Kibana cannot be embedded in other websites. To configure this in yourkibana.yml
:server.securityResponseHeaders.disableEmbedding: true
Require a Content Security Policy
editKibana uses a Content Security Policy (CSP) to prevent the browser from allowing
unsafe scripting, but older browsers will silently ignore this policy. If your
organization does not need to support very old
versions of our supported browsers, we recommend that you enable Kibana’s
strict
mode for the CSP. This will block access to Kibana
for any browser that does not enforce even a rudimentary set of CSP
protections.
To do this, set csp.strict
to true
in your kibana.yml
:
csp.strict: true
On this page