Purpose and usage of http.cors.x field in elasticsearch configuration file
Whether http.cors.enabled supports cross-domain, the default is false
http.cors.allow-origin When the setting allows cross-domain, the default is *, which means that all domain names are supported. If we only allow certain websites to be accessible, we can use regular expressions formula. For example, only local addresses are allowed. /https?:\ /\ /localhost(:[0-9]+)?/
http.cors.max-age The browser sends a "preflight" OPTIONS request to determine the CORS settings. The maximum age defines how long the results should be cached. The default is 1728000 (20 days)
http.cors.allow-methods allows cross-domain request methods, the default OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers cross-domain allowable header information, the default is X-Requested-With, Content-Type, Content-Length
http.cors.allow-credentials Whether to return the set cross-domain Access-Control-Allow-Credentials header, if set to true, then it will be returned to the client.