Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable embedding for initial serverless offering #154263

Closed
legrego opened this issue Apr 3, 2023 · 2 comments
Closed

Disable embedding for initial serverless offering #154263

legrego opened this issue Apr 3, 2023 · 2 comments
Labels
blocked duplicate enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Apr 3, 2023

Blocked on #153274.

The initial serverless offering should not be embeddable. Kibana already exposes this configuration option, so we'll "just" have to adjust the default configuration when running in a serverless context:

server.securityResponseHeaders.disableEmbedding: true

Docs for this setting:

[[server-securityResponseHeaders-disableEmbedding]]`server.securityResponseHeaders.disableEmbedding`::
Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[`Content-Security-Policy`] and
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options[`X-Frame-Options`] headers are configured to disable embedding
{kib} in other webpages using iframes. When set to `true`, secure headers are used to disable embedding, which adds the `frame-ancestors:
'self'` directive to the `Content-Security-Policy` response header and adds the `X-Frame-Options: SAMEORIGIN` response header. *Default:* `false`

@legrego legrego added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective labels Apr 3, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego legrego added the blocked label Apr 3, 2023
@legrego
Copy link
Member Author

legrego commented May 1, 2023

Closing in favor of #150884

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked duplicate enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

No branches or pull requests

2 participants