spalger
commented
8 years ago The primary purpose behind this change is to make all requests to the proxy require xsrf protection, which was just implemented in Kibana. All non-GET requests must be paired with a valid xsrf token, which at least mitigates some of the threat of the proxy, since it can't be used by arbitrary websites on the internet to access your internal network.
Fixes #76
The current proxy behaves as a proxy should and sends the request to its upstream counterpart in almost the exact way that it received it. These changes update the proxy to only run over POST and operate more like a API endpoint than a proxy. The endpoint now takes a URI, a http method, and a request body. It will combine those into a request to the URI and return the response just like the proxy did. This means that methods like "HEAD" don't need special treatment and has security benefits.