fix spelling and add to migration docs

docs/reference/migration/migrate_2_0.asciidoc

@@ -450,6 +450,17 @@ http.cors.enabled: true
 http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/
 ---------------
 
+=== CORS allowed origins
+
+The CORS allowed origins setting, `http.cors.allow-origin`, no longer has a default value. Previously, the default value
+was `*`, which would allow CORS requests from any origin and is considered insecure. The `http.cors.allow-origin` setting
+should be specified with only the origins that should be allowed, like so:
+
+[source,yaml]
+---------------
+http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/
+---------------
+
 === Cluster state REST api
 
 The cluster state api doesn't return the `routing_nodes` section anymore when

docs/reference/modules/http.asciidoc

@@ -60,7 +60,7 @@ allowed. If you prepend and append a `/` to the value, this will
 be treated as a regular expression, allowing you to support HTTP and HTTPs.
 for example using `/https?:\/\/localhost(:[0-9]+)?/` would return the
 request header appropriately in both cases. `*` is a valid value but is
-considered a *secruity risk* as your elasticsearch instance is open to cross origin
+considered a *security risk* as your elasticsearch instance is open to cross origin
 requests from *anywhere*.
 
 |`http.cors.max-age` |Browsers send a "preflight" OPTIONS-request to