| mapped_pages | applies_to | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
When connecting client applications to {{es}}, use these best practices:
- Always use HTTPS for all connections
- Validate server certificates to prevent man-in-the-middle attacks
- Use API keys or token-based authentication rather than basic auth where possible
- Implement appropriate connection pooling and retry mechanisms
- Consider mutual TLS for high-security environments
The {{es}} {{security-features}} work with standard HTTP basic authentication headers to authenticate users. Since {{es}} is stateless, this header must be sent with every request:
Authorization: Basic <TOKEN> <1>- The
<TOKEN>is computed asbase64(USERNAME:PASSWORD)
Alternatively, you can use token-based authentication services.
This example uses curl without basic auth to create an index:
curl -XPUT 'localhost:9200/idx'{
"error": "AuthenticationException[Missing authentication token]",
"status": 401
}Since no user is associated with the request above, an authentication error is returned. Now we’ll use curl with basic auth to create an index as the rdeniro user:
curl --user rdeniro:taxidriver -XPUT 'localhost:9200/idx'{
"acknowledged": true
}Some APIs support secondary authorization headers for situations where you want tasks to run with a different set of credentials. For example, you can send the following header in addition to the basic authentication header:
es-secondary-authorization: Basic <TOKEN> <1>- The
<TOKEN>is computed asbase64(USERNAME:PASSWORD)
The es-secondary-authorization header has the same syntax as the Authorization header. It therefore also supports the use of token-based authentication services. For example:
es-secondary-authorization: ApiKey <TOKEN> <1>- The
<TOKEN>is computed asbase64(API key ID:API key)
For more information about using {{security-features}} with the language specific clients, refer to: