fix spelling and add to migration docs

2015-07-08 15:24:14 -04:00 · 2015-07-08 15:24:14 -04:00 · 8876ddf90b
parent 6b086dc7db
commit 8876ddf90b
2 changed files with 12 additions and 1 deletions
--- a/docs/reference/migration/migrate_2_0.asciidoc
+++ b/docs/reference/migration/migrate_2_0.asciidoc
@ -450,6 +450,17 @@ http.cors.enabled: true
 http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/
 ---------------

+=== CORS allowed origins
+
+The CORS allowed origins setting, `http.cors.allow-origin`, no longer has a default value. Previously, the default value
+was `*`, which would allow CORS requests from any origin and is considered insecure. The `http.cors.allow-origin` setting
+should be specified with only the origins that should be allowed, like so:
+
+[source,yaml]
+---------------
+http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/
+---------------
+
 === Cluster state REST api

 The cluster state api doesn't return the `routing_nodes` section anymore when
--- a/docs/reference/modules/http.asciidoc
+++ b/docs/reference/modules/http.asciidoc
@ -60,7 +60,7 @@ allowed. If you prepend and append a `/` to the value, this will
 be treated as a regular expression, allowing you to support HTTP and HTTPs.
 for example using `/https?:\/\/localhost(:[0-9]+)?/` would return the
 request header appropriately in both cases. `*` is a valid value but is
-considered a *secruity risk* as your elasticsearch instance is open to cross origin
+considered a *security risk* as your elasticsearch instance is open to cross origin
 requests from *anywhere*.

 |`http.cors.max-age` |Browsers send a "preflight" OPTIONS-request to