[http] Core's internal router needs to handle an access parameter #152282
Labels
Epic:VersionedAPIs
Kibana Versioned APIs
Feature:http
Team:Core
Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Comments
TinaHeiligers
added
Feature:http
Team:Core
|
Pinging @elastic/kibana-core (Team:Core) |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is to handle the work needed for step 3 in
[http] Prevent access to internal-only APIs when running in serverless
Note: Some (if not most) of the individual issues might need t to be handled at the same time. For now, we assume that any work specifically addressing VersionedRouters can be done in parallel.
Adapt Core's internal router to handle the access parameter
Core's internal routing system should properly use this access parameter. When accessing a route defined as internal, and when Kibana is configured accordingly (see point 6.), the system will check the presence of the x-elastic-internal-origin header, and return an error (403? other?) if the said header is not present.
Note: validation on the content of the header is probably not necessary, unless someone thinks otherwise.
The text was updated successfully, but these errors were encountered: