Using search applications with untrusted clients

Using search applications with untrusted clients

When building a frontend application for search use cases, there are two main approaches to returning search results:

  1. The client (user’s browser) makes API requests to the application backend, which in turn makes a request to Elasticsearch. The Elasticsearch cluster is not exposed to the end user.
  2. The client (user’s browser) makes API requests directly to the search service - in this case the Elasticsearch cluster is reachable to the client.

This guide describes best practices when taking the second approach. Specifically, we will explain how to use search applications with frontend apps that make direct requests to the Search Application Search API.

This approach has a few advantages:

  • No need to maintain a passthrough query system between frontend applications and Elasticsearch
  • Direct requests to Elasticsearch result in faster response times
  • Query configuration is managed in one place: your search application configuration in Elasticsearch

We will cover:

Using Elasticsearch API keys with role restrictions

When frontend applications can make direct API requests to Elasticsearch, it’s important to limit the operations they can perform. In our case, frontend applications should only be able to call the Search Application Search API. To ensure this, we will create Elasticsearch API keys with role restrictions. A role restriction is used to specify under what conditions a role should be effective.

The following Elasticsearch API key has access to the website-product-search search application, only through the Search Application Search API:

  1. resp = client.security.create_api_key(
  2. name="my-restricted-api-key",
  3. expiration="7d",
  4. role_descriptors={
  5. "my-restricted-role-descriptor": {
  6. "indices": [
  7. {
  8. "names": [
  9. "website-product-search"
  10. ],
  11. "privileges": [
  12. "read"
  13. ]
  14. }
  15. ],
  16. "restriction": {
  17. "workflows": [
  18. "search_application_query"
  19. ]
  20. }
  21. }
  22. },
  23. )
  24. print(resp)
  1. const response = await client.security.createApiKey({
  2. name: "my-restricted-api-key",
  3. expiration: "7d",
  4. role_descriptors: {
  5. "my-restricted-role-descriptor": {
  6. indices: [
  7. {
  8. names: ["website-product-search"],
  9. privileges: ["read"],
  10. },
  11. ],
  12. restriction: {
  13. workflows: ["search_application_query"],
  14. },
  15. },
  16. },
  17. });
  18. console.log(response);
  1. POST /_security/api_key
  2. {
  3. "name": "my-restricted-api-key",
  4. "expiration": "7d",
  5. "role_descriptors": {
  6. "my-restricted-role-descriptor": {
  7. "indices": [
  8. {
  9. "names": ["website-product-search"],
  10. "privileges": ["read"]
  11. }
  12. ],
  13. "restriction": {
  14. "workflows": ["search_application_query"]
  15. }
  16. }
  17. }
  18. }

indices.name must be the name(s) of the Search Application(s), not the underlying Elasticsearch indices.

restriction.workflows must be set to the concrete value search_application_query.

It is crucial to specify the workflow restriction. Without this the Elasticsearch API key can directly call _search and issue arbitrary Elasticsearch queries. This is insecure when dealing with untrusted clients.

The response will look like this:

  1. {
  2. "id": "v1CCJYkBvb5Pg9T-_JgO",
  3. "name": "my-restricted-api-key",
  4. "expiration": 1689156288526,
  5. "api_key": "ztVI-1Q4RjS8qFDxAVet5w",
  6. "encoded": "djFDQ0pZa0J2YjVQZzlULV9KZ086enRWSS0xUTRSalM4cUZEeEFWZXQ1dw"
  7. }

The encoded value can then be directly used in the Authorization header. Here’s an example using cURL:

  1. curl -XPOST "http://localhost:9200/_application/search_application/website-product-search/_search" \
  2. -H "Content-Type: application/json" \
  3. -H "Authorization: ApiKey djFDQ0pZa0J2YjVQZzlULV9KZ086enRWSS0xUTRSalM4cUZEeEFWZXQ1dw" \
  4. -d '{
  5. "params": {
  6. "field_name": "color",
  7. "field_value": "red",
  8. "agg_size": 5
  9. }
  10. }'

If expiration is not present, by default Elasticsearch API keys never expire. The API key can be invalidated using the invalidate API key API.

Elasticsearch API keys with role restrictions can also use field and document level security. This further limits how frontend applications query a search application.

Parameter validation with search applications

Your search applications use search templates to render queries. The template parameters are passed to the Search Application Search API. In the case of APIs used by frontend applications or untrusted clients, we need to have strict parameter validation. Search applications define a JSON schema that describes which parameters the Search Application Search API allows.

The following example defines a search application with strict parameter validation:

  1. resp = client.search_application.put(
  2. name="website-product-search",
  3. search_application={
  4. "indices": [
  5. "website-products"
  6. ],
  7. "template": {
  8. "script": {
  9. "source": {
  10. "query": {
  11. "term": {
  12. "{{field_name}}": "{{field_value}}"
  13. }
  14. },
  15. "aggs": {
  16. "color_facet": {
  17. "terms": {
  18. "field": "color",
  19. "size": "{{agg_size}}"
  20. }
  21. }
  22. }
  23. },
  24. "params": {
  25. "field_name": "product_name",
  26. "field_value": "hello world",
  27. "agg_size": 5
  28. }
  29. },
  30. "dictionary": {
  31. "properties": {
  32. "field_name": {
  33. "type": "string",
  34. "enum": [
  35. "name",
  36. "color",
  37. "description"
  38. ]
  39. },
  40. "field_value": {
  41. "type": "string"
  42. },
  43. "agg_size": {
  44. "type": "integer",
  45. "minimum": 1,
  46. "maximum": 10
  47. }
  48. },
  49. "required": [
  50. "field_name"
  51. ],
  52. "additionalProperties": False
  53. }
  54. }
  55. },
  56. )
  57. print(resp)
  1. const response = await client.searchApplication.put({
  2. name: "website-product-search",
  3. search_application: {
  4. indices: ["website-products"],
  5. template: {
  6. script: {
  7. source: {
  8. query: {
  9. term: {
  10. "{{field_name}}": "{{field_value}}",
  11. },
  12. },
  13. aggs: {
  14. color_facet: {
  15. terms: {
  16. field: "color",
  17. size: "{{agg_size}}",
  18. },
  19. },
  20. },
  21. },
  22. params: {
  23. field_name: "product_name",
  24. field_value: "hello world",
  25. agg_size: 5,
  26. },
  27. },
  28. dictionary: {
  29. properties: {
  30. field_name: {
  31. type: "string",
  32. enum: ["name", "color", "description"],
  33. },
  34. field_value: {
  35. type: "string",
  36. },
  37. agg_size: {
  38. type: "integer",
  39. minimum: 1,
  40. maximum: 10,
  41. },
  42. },
  43. required: ["field_name"],
  44. additionalProperties: false,
  45. },
  46. },
  47. },
  48. });
  49. console.log(response);
  1. PUT _application/search_application/website-product-search
  2. {
  3. "indices": [
  4. "website-products"
  5. ],
  6. "template": {
  7. "script": {
  8. "source": {
  9. "query": {
  10. "term": {
  11. "{{field_name}}": "{{field_value}}"
  12. }
  13. },
  14. "aggs": {
  15. "color_facet": {
  16. "terms": {
  17. "field": "color",
  18. "size": "{{agg_size}}"
  19. }
  20. }
  21. }
  22. },
  23. "params": {
  24. "field_name": "product_name",
  25. "field_value": "hello world",
  26. "agg_size": 5
  27. }
  28. },
  29. "dictionary": {
  30. "properties": {
  31. "field_name": {
  32. "type": "string",
  33. "enum": ["name", "color", "description"]
  34. },
  35. "field_value": {
  36. "type": "string"
  37. },
  38. "agg_size": {
  39. "type": "integer",
  40. "minimum": 1,
  41. "maximum": 10
  42. }
  43. },
  44. "required": [
  45. "field_name"
  46. ],
  47. "additionalProperties": false
  48. }
  49. }
  50. }

Using that definition, the Search Application Search API performs the following parameter validation:

  • It only accepts the field_name, field_value and aggs_size parameters
  • field_name is restricted to only take the values “name”, “color” and “description”
  • agg_size defines the size of the term aggregation and it can only take values between 1 and 10

Working with CORS

Using this approach means that your user’s browser will make requests to the Elasticsearch API directly. Elasticsearch supports Cross-Origin Resource Sharing (CORS), but this feature is disabled by default. Therefore the browser will block these requests.

There are two workarounds for this:

Enable CORS on Elasticsearch

This is the simplest option. Enable CORS on Elasticsearch by adding the following to your elasticsearch.yml file:

  1. http.cors.allow-origin: "*" # Only use unrestricted value for local development
  2. # Use a specific origin value in production, like `http.cors.allow-origin: "https://<my-website-domain.example>"`
  3. http.cors.enabled: true
  4. http.cors.allow-credentials: true
  5. http.cors.allow-methods: OPTIONS, POST
  6. http.cors.allow-headers: X-Requested-With, X-Auth-Token, Content-Type, Content-Length, Authorization, Access-Control-Allow-Headers, Accept

On Elastic Cloud, you can do this by editing your Elasticsearch user settings.

  1. From your deployment menu, go to the Edit page.
  2. In the Elasticsearch section, select Manage user settings and extensions.
  3. Update the user settings with the configuration above.
  4. Select Save changes.
Proxy the request through a server that supports CORS

If you are unable to enable CORS on Elasticsearch, you can proxy the request through a server that supports CORS. This is more complicated, but is a viable option.

Learn more