diff --git a/docs/api/spaces-management/post.asciidoc b/docs/api/spaces-management/post.asciidoc index d8c194d8dc2b..4d4627e98899 100644 --- a/docs/api/spaces-management/post.asciidoc +++ b/docs/api/spaces-management/post.asciidoc @@ -16,28 +16,28 @@ experimental["The underlying Spaces concepts are stable, but the APIs for managi [[spaces-api-post-request-body]] ==== Request body -`id`:: +`id`:: (Required, string) The space ID that is part of the Kibana URL when inside the space. You are unable to change the ID with the update operation. -`name`:: +`name`:: (Required, string) The display name for the space. -`description`:: +`description`:: (Optional, string) The description for the space. -`disabledFeatures`:: +`disabledFeatures`:: (Optional, string array) The list of disabled features for the space. To get a list of available feature IDs, use the <>. -`initials`:: +`initials`:: (Optional, string) Specifies the initials shown in the space avatar. By default, the initials are automatically generated from the space name. Initials must be 1 or 2 characters. -`color`:: +`color`:: (Optional, string) Specifies the hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. -`imageUrl`:: +`imageUrl`:: (Optional, string) Specifies the data-url encoded image to display in the space avatar. If specified, `initials` will not be displayed, and the `color` will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. - + [[spaces-api-post-response-codes]] ==== Response codes diff --git a/docs/api/using-api.asciidoc b/docs/api/using-api.asciidoc index 82071af46363..37c5315025dc 100644 --- a/docs/api/using-api.asciidoc +++ b/docs/api/using-api.asciidoc @@ -1,7 +1,7 @@ [[using-api]] == Using the APIs -Interact with the {kib} APIs through the `curl` command and HTTP and HTTPs protocols. +Interact with the {kib} APIs through the `curl` command and HTTP and HTTPs protocols. It is recommended that you use HTTPs on port 5601 because it is more secure. @@ -34,13 +34,37 @@ For example, the following `curl` command exports a dashboard: curl -X POST -u $USER:$PASSWORD "localhost:5601/api/kibana/dashboards/export?dashboard=942dcef0-b2cd-11e8-ad8e-85441f0c2e5c" -- -The following {kib} APIs are available: +[float] +[[api-request-headers]] +=== Request headers -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> +For all APIs, you must use a request header. The {kib} APIs support the `kbn-xsrf` and `Content-Type` headers. + +`kbn-xsrf: true`:: + By default, you must use `kbn-xsrf` for all API calls, except in the following scenarios: + +* The API endpoint uses the `GET` or `HEAD` methods + +* The path is whitelisted using the <> setting + +* XSRF protections are disabled using the `server.xsrf.disableProtection` setting + +`Content-Type: application/json`:: + Applicable only when you send a payload in the API request. {kib} API requests and responses use JSON. Typically, if you include the `kbn-xsrf` header, you must also include the `Content-Type` header. + +Request header example: + +[source,sh] +-- +curl -X POST \ + http://localhost:5601/api/spaces/space \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -d '{ + "id": "sales", + "name": "Sales", + "description": "This is your Sales Space!", + "disabledFeatures": [] +} +' +-- diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc index 00b9e599911b..9324b305e458 100644 --- a/docs/setup/settings.asciidoc +++ b/docs/setup/settings.asciidoc @@ -358,6 +358,18 @@ all http requests to https over the port configured as `server.port`. `server.ssl.supportedProtocols:`:: *Default: TLSv1.1, TLSv1.2* An array of supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2` +`server.xsrf.whitelist:`:: It is not recommended to disable protections for +arbitrary API endpoints. Instead, supply the `kbn-xsrf` header. There are some +scenarios where whitelisting is required, however, such as +<>. +The `server.xsrf.whitelist` setting requires the following format: + +[source,text] + +---- +*Default: [ ]* An array of API endpoints which should be exempt from Cross-Site Request Forgery ("XSRF") protections. +---- + `status.allowAnonymous:`:: *Default: false* If authentication is enabled, setting this to `true` enables unauthenticated users to access the Kibana server status API and status page.