If you have that in your config file, then you should have seen an exception when you restarted the node, because * has special meaning in YAML. You should set your config as follows:

http.cors.enabled: true
http.cors.allow-origin: "*"

Then restart the node, and you can check that the allow-origin header is there with:

curl -H "User-Agent: Mozilla" -H "Origin: http://example.com" -i localhost:9200

which outputs:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=UTF-8
Content-Length: 336

{
  "status" : 200,
  "name" : "Powerpax",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "1.4.2",
    "build_hash" : "927caff6f05403e936c20bf4529f144f0c89fd8c",
    "build_timestamp" : "2014-12-16T14:11:12Z",
    "build_snapshot" : false,
    "lucene_version" : "4.10.2"
  },
  "tagline" : "You Know, for Search"
}

@clintongormley I've run into this same issue. From everything I've read, the following should work:

http.cors.enabled : true
http.cors.allow-origin : "*"

But Kibana isn't happy, and the curl you suggest also indicates that CORS isn't enabled:

$ curl -H "User-Agent: Mozilla" -H "Origin: http://example.com" -i localhost:9200
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 337

{
  "status" : 200,
  "name" : "Firefrost",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "1.4.3",
    "build_hash" : "36a29a7144cfde87a960ba039091d40856fcb9af",
    "build_timestamp" : "2015-02-11T14:23:15Z",
    "build_snapshot" : false,
    "lucene_version" : "4.10.3"
  },
  "tagline" : "You Know, for Search"
}

I suspect my elasticsearch.yaml isn't being picked up for some reason (although my logging.yaml in the same directory is definitely being picked up). Is there some way to tell from the log file if something is amiss? (Or maybe an http endpoint that reflects the settings elasticsearch has parsed?)

Note: I think my specific issue with CORS has been solved. (https://github.com/elasticsearch/elasticsearch/issues/9706)

https://jsbroadcast.com/elastic-search-cors/

@agjs please don't enable jsonp - that introduces a security issue.

Cors works correctly as documented here: https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html

This issue was, as @devinrsmith pointed out, related to #9706. Closing

It's working only if you specify a valid user-agent:

Is it normal behavior?

:+1:
I don't think so.
I have the same problem.

Linking the open issue for the User-Agent problems:

16689

adding following to config file has resolved the issue

http.cors.enabled : true
http.cors.allow-origin : "*"

I confirm @ravijangra solution worked for me too on Windows

Setting http.cors.allow-origin : "*" can be dangerous. You should instead list the actual domain patterns which should match otherwise you are opening yourself up to XSS attacks.

thanks for the note @clintongormley ... however, how do i get the domain patterns you are talking about? do you know how to find these out? thx

@tsando you have to know where requests are allowed to come from, eg you have some javascript served from www.foo.com which is allowed to make requests to your ES server, then you'd add https?://www.foo.com.

With it set to *, you can browse to www.dodgydomain.com, which can serve malicious JS to your web browser, and cause you to send requests to your Elasticsearch cluster.

In Which File We need To add the Following lines in ionic 3??
http.cors.enabled : true
http.cors.allow-origin : "*"
I need a file name.whether it is ionic.config.json or config.xml or tsconfig.json? where to add??

In Which File We need To add the Following lines in ionic 3??
http.cors.enabled : true
http.cors.allow-origin : "*"
I need a file name.whether it is ionic.config.json or config.xml or tsconfig.json? where to add??

@vigneshrvicky at windows the file can be found here: _C:\ProgramData\Elastic\Elasticsearch\config_, but if u can't find it, look at the ES_PATH_CONF environment variable, at this dir you can check the _config_ dir and edit the elasticsearch.yml file