mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-09 06:25:07 +00:00
6b086dc7db
Today, we disable CORS by default, but if a user simply enables CORS their instance of elasticsearch will allow cross origin requests from anywhere, as the default value for allowed origins is `*`. This changes the default to be `null` so that no origins are allowed and the user must explicitly specify the origins they wish to allow requests from. The documentation also mentions that there is a security risk in using `*` as the value. Closes #11169