From 8876ddf90bb48a28580e8a712c7ef9de061f61ed Mon Sep 17 00:00:00 2001 From: jaymode Date: Wed, 8 Jul 2015 15:24:14 -0400 Subject: [PATCH] fix spelling and add to migration docs --- docs/reference/migration/migrate_2_0.asciidoc | 11 +++++++++++ docs/reference/modules/http.asciidoc | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/reference/migration/migrate_2_0.asciidoc b/docs/reference/migration/migrate_2_0.asciidoc index 84053a82f44..1cd4f5d20be 100644 --- a/docs/reference/migration/migrate_2_0.asciidoc +++ b/docs/reference/migration/migrate_2_0.asciidoc @@ -450,6 +450,17 @@ http.cors.enabled: true http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/ --------------- +=== CORS allowed origins + +The CORS allowed origins setting, `http.cors.allow-origin`, no longer has a default value. Previously, the default value +was `*`, which would allow CORS requests from any origin and is considered insecure. The `http.cors.allow-origin` setting +should be specified with only the origins that should be allowed, like so: + +[source,yaml] +--------------- +http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/ +--------------- + === Cluster state REST api The cluster state api doesn't return the `routing_nodes` section anymore when diff --git a/docs/reference/modules/http.asciidoc b/docs/reference/modules/http.asciidoc index 95399450828..3255361bf86 100644 --- a/docs/reference/modules/http.asciidoc +++ b/docs/reference/modules/http.asciidoc @@ -60,7 +60,7 @@ allowed. If you prepend and append a `/` to the value, this will be treated as a regular expression, allowing you to support HTTP and HTTPs. for example using `/https?:\/\/localhost(:[0-9]+)?/` would return the request header appropriately in both cases. `*` is a valid value but is -considered a *secruity risk* as your elasticsearch instance is open to cross origin +considered a *security risk* as your elasticsearch instance is open to cross origin requests from *anywhere*. |`http.cors.max-age` |Browsers send a "preflight" OPTIONS-request to