kibana/config/serverless.yml

interactiveSetup.enabled: false
newsfeed.enabled: false
xpack.security.showNavLinks: false
xpack.serverless.plugin.enabled: true
xpack.fleet.internal.fleetServerStandalone: true
xpack.fleet.internal.disableILMPolicies: true

# Ess plugins
xpack.ess.security.enabled: false

# Management team plugins
xpack.upgrade_assistant.enabled: false
xpack.rollup.enabled: false
xpack.watcher.enabled: false
xpack.ccr.enabled: false
xpack.ilm.enabled: false
xpack.remote_clusters.enabled: false
xpack.snapshot_restore.enabled: false
xpack.license_management.enabled: false

# Other disabled plugins
#xpack.canvas.enabled: false #only disabable in dev-mode
xpack.reporting.enabled: false
xpack.cloud_integrations.data_migration.enabled: false
data.search.sessions.enabled: false

# Enforce restring access to internal APIs see https://github.com/elastic/kibana/issues/151940
# server.restrictInternalApis: true
# Telemetry enabled by default and not disableable via UI
telemetry.optIn: true
telemetry.allowChangingOptInStatus: false

# Harden security response headers, see https://github.com/elastic/kibana/issues/150884
# The browser should remember that a site, including subdomains, is only to be accessed using HTTPS for 1 year
# Can override this setting in kibana.dev.yml, e.g. server.securityResponseHeaders.strictTransportSecurity: null
server.securityResponseHeaders.strictTransportSecurity: max-age=31536000; includeSubDomains
# Disable embedding for serverless MVP
server.securityResponseHeaders.disableEmbedding: true

# default to newest routes
server.versioned.versionResolution: newest
# do not enforce client version check
server.versioned.strictClientVersionCheck: false

# Enforce single "default" space
xpack.spaces.maxSpaces: 1

# Temporarily allow unauthenticated access to task manager utilization & status/stats APIs for autoscaling
status.allowAnonymous: true
xpack.task_manager.unsafe.authenticate_background_task_utilization: false