diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
index d9a48835553cf..7e7e2b9d1a4cf 100644
--- a/docs/setup/settings.asciidoc
+++ b/docs/setup/settings.asciidoc
@@ -557,11 +557,10 @@ deprecation warning at startup. This setting cannot end in a slash (`/`).
 proxy sitting in front of it. This determines whether HTTP compression may be used for responses, based on the request `Referer` header.
 This setting may not be used when <<server-compression, `server.compression.enabled`>> is set to `false`. *Default: `none`*
 
-[[server-securityResponseHeaders-strictTransportSecurity]]
 a|
 `server.securityResponseHeaders:`
 `strictTransportSecurity:`
-| Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[`Strict-Transport-Security`]
+| [[server-securityResponseHeaders-strictTransportSecurity]] Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[`Strict-Transport-Security`]
 header is used in all responses to the client from the {kib} server, and specifies what value is used. Allowed values are any text value or
 `null`. To disable, set to `null`. *Default:* `null`
 
diff --git a/docs/user/production-considerations/alerting-production-considerations.asciidoc b/docs/user/production-considerations/alerting-production-considerations.asciidoc
index bd19a11435a99..57cc2a72a8895 100644
--- a/docs/user/production-considerations/alerting-production-considerations.asciidoc
+++ b/docs/user/production-considerations/alerting-production-considerations.asciidoc
@@ -36,7 +36,7 @@ For detailed guidance, see <<alerting-troubleshooting, Alerting Troubleshooting>
 
 [float]
 [[alerting-scaling-guidance]]
-=== Scaling Guidance
+=== Scaling guidance
 
 As rules and actions leverage background tasks to perform the majority of work, scaling Alerting is possible by following the <<task-manager-scaling-guidance,Task Manager Scaling Guidance>>.
 
@@ -58,7 +58,7 @@ Alerts and actions log activity in a set of "event log" indices.  These indices
 
 The name of the index policy is `kibana-event-log-policy`.  {kib} creates the index policy on startup, if it doesn't already exist.  The index policy can be customized for your environment, but {kib} never modifies the index policy after creating it.
 
-Because Kibana uses the documents to display historic data, you should set the delete phase longer than you would like the historic data to be shown. For example, if you would like to see one month's worth of historic data, you should set the delete phase to at least one month.
+Because {kib} uses the documents to display historic data, you should set the delete phase longer than you would like the historic data to be shown. For example, if you would like to see one month's worth of historic data, you should set the delete phase to at least one month.
 
 For more information on index lifecycle management, see:
 {ref}/index-lifecycle-management.html[Index Lifecycle Policies].
diff --git a/docs/user/production-considerations/index.asciidoc b/docs/user/production-considerations/index.asciidoc
index 198e8324af3e6..22307f6394248 100644
--- a/docs/user/production-considerations/index.asciidoc
+++ b/docs/user/production-considerations/index.asciidoc
@@ -1,4 +1,5 @@
 include::production.asciidoc[]
+include::security-production-considerations.asciidoc[]
 include::alerting-production-considerations.asciidoc[]
 include::reporting-production-considerations.asciidoc[]
 include::task-manager-production-considerations.asciidoc[]
diff --git a/docs/user/production-considerations/production.asciidoc b/docs/user/production-considerations/production.asciidoc
index 68a96add12e58..455e07e452807 100644
--- a/docs/user/production-considerations/production.asciidoc
+++ b/docs/user/production-considerations/production.asciidoc
@@ -5,74 +5,24 @@
 <titleabbrev>Production considerations</titleabbrev>
 ++++
 
-* <<configuring-kibana-shield>>
-* <<csp-strict-mode>>
-* <<enabling-ssl>>
-* <<load-balancing-kibana>>
-* <<accessing-load-balanced-kibana>>
-* <<high-availability>>
-* <<memory>>
-
-How you deploy Kibana largely depends on your use case. If you are the only user,
-you can run Kibana on your local machine and configure it to point to whatever
-Elasticsearch instance you want to interact with. Conversely, if you have a large
-number of heavy Kibana users, you might need to load balance across multiple
-Kibana instances that are all connected to the same Elasticsearch instance.
-
-While Kibana isn't terribly resource intensive, we still recommend running Kibana
-separate from  your Elasticsearch data or master nodes. To distribute Kibana
-traffic across the nodes in your Elasticsearch cluster,
-you can configure Kibana to use a list of Elasticsearch hosts.
-
-[float]
-[[configuring-kibana-shield]]
-=== Use {stack} {security-features}
-
-You can use {stack} {security-features} to control what {es} data users can
-access through Kibana.
-
-When {security-features} are enabled, Kibana users have to log in. They need to
-have a role granting <<kibana-privileges, Kibana privileges>> as well as access
-to the indices they will be working with in Kibana.
-
-If a user loads a Kibana dashboard that accesses data in an index that they
-are not authorized to view, they get an error that indicates the index does
-not exist.
-
-For more information on granting access to Kibana, see <<xpack-security-authorization>>.
-
-[float]
-[[csp-strict-mode]]
-=== Require Content Security Policy
-
-Kibana uses a Content Security Policy to help prevent the browser from allowing
-unsafe scripting, but older browsers will silently ignore this policy. If your
-organization does not need to support Internet Explorer 11 or much older
-versions of our other supported browsers, we recommend that you enable Kibana's
-`strict` mode for content security policy, which will block access to Kibana
-for any browser that does not enforce even a rudimentary set of CSP
-protections.
-
-To do this, set `csp.strict` to `true` in your `kibana.yml`:
-
-[source,js]
---------
-csp.strict: true
---------
+How you deploy {kib} largely depends on your use case. If you are the only user,
+you can run {kib} on your local machine and configure it to point to whatever
+{es} instance you want to interact with. Conversely, if you have a large
+number of heavy {kib} users, you might need to load balance across multiple
+{kib} instances that are all connected to the same {es} instance.
 
-
-[float]
-[[enabling-ssl]]
-=== Enable SSL
-
-See <<configuring-tls>>.
+While {kib} isn't terribly resource intensive, we still recommend running {kib}
+separate from  your {es} data or master nodes. To distribute {kib}
+traffic across the nodes in your {es} cluster,
+you can configure {kib} to use a list of {es} hosts.
 
 [float]
 [[load-balancing-kibana]]
-=== Load balancing across multiple Kibana instances
-To serve multiple Kibana installations behind a load balancer, you must change the configuration. See {kibana-ref}/settings.html[Configuring Kibana] for details on each setting.
+=== Load balancing across multiple {kib} instances
+To serve multiple {kib} installations behind a load balancer, you must change the configuration.
+See {kibana-ref}/settings.html[Configuring {kib}] for details on each setting.
 
-Settings unique across each Kibana instance:
+Settings unique across each {kib} instance:
 [source,js]
 --------
 server.uuid
@@ -119,8 +69,8 @@ active in case of failure from the currently used instance.
 [float]
 [[high-availability]]
 === High availability across multiple {es} nodes
-Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster.  In situations where a node becomes unavailable,
-Kibana will transparently connect to an available node and continue operating.  Requests to available hosts will be routed in a round robin fashion.
+{kib} can be configured to connect to multiple {es} nodes in the same cluster.  In situations where a node becomes unavailable,
+{kib} will transparently connect to an available node and continue operating.  Requests to available hosts will be routed in a round robin fashion.
 
 In kibana.yml:
 [source,js]
@@ -136,6 +86,7 @@ These can be used to automatically update the list of hosts as a cluster is resi
 [float]
 [[memory]]
 === Memory
+
 Kibana has a default memory limit that scales based on total memory available.  In some scenarios, such as large reporting jobs, 
 it may make sense to tweak limits to meet more specific requirements.
 
diff --git a/docs/user/production-considerations/security-production-considerations.asciidoc b/docs/user/production-considerations/security-production-considerations.asciidoc
new file mode 100644
index 0000000000000..a23911375639f
--- /dev/null
+++ b/docs/user/production-considerations/security-production-considerations.asciidoc
@@ -0,0 +1,88 @@
+[role="xpack"]
+[[Security-production-considerations]]
+== Security production considerations
+
+++++
+<titleabbrev>Security</titleabbrev>
+++++
+:keywords: administrator, analyst, concept, setup, security
+:description: Consider the production components for {kib} security.
+
+To secure your {kib} installation in production, consider these high-priority topics to ensure
+that only authorized users can access {kib}.
+For more information on {kib}'s security controls, see <<using-kibana-with-security, Configure security>>.
+
+[float]
+[[enabling-ssl]]
+=== Enable SSL/TLS
+
+You should use SSL/TLS encryption to ensure that traffic between browsers and the {kib} server cannot be viewed or tampered with by third
+parties. See <<configuring-tls>>.
+
+[float]
+[[configuring-kibana-shield]]
+=== Use {stack} {security-features}
+
+You can use {stack} {security-features} to control what {es} data users can
+access through {kib}.
+
+When {security-features} are enabled, {kib} users have to log in. They must
+have a role granting <<kibana-privileges, {kib} privileges>> and access
+to the indices that they will be working with in {kib}.
+
+If a user loads a {kib} dashboard that accesses data in an index that they
+are not authorized to view, they get an error that indicates the index does
+not exist.
+
+For more information on granting access to {kib}, see <<xpack-security-authorization>>.
+
+[float]
+[[configuring-security-headers]]
+=== Use secure HTTP headers
+
+The {kib} server can instruct browsers to enable additional security controls using HTTP headers.
+
+1. Enable HTTP Strict-Transport-Security.
++
+Use <<server-securityResponseHeaders-strictTransportSecurity,`strictTransportSecurity`>> to ensure that browsers will only attempt
+to access {kib} with SSL/TLS encryption. This is designed to prevent manipulator-in-the-middle attacks.
+To configure this with a lifetime of one
+year in your `kibana.yml`:
++
+[source,js]
+--------
+server.securityResponseHeaders.strictTransportSecurity: "max-age=31536000"
+--------
++
+WARNING: This header will block unencrypted connections for the entire domain. If you host more than one web application on the same domain
+using different ports or paths, all of them will be affected.
+
+2. Disable embedding.
++
+Use <<server-securityResponseHeaders-disableEmbedding, `disableEmbedding`>> to ensure
+that {kib} cannot be embedded in other websites.
+To configure this in your `kibana.yml`:
++
+[source,js]
+--------
+server.securityResponseHeaders.disableEmbedding: true
+--------
+
+[float]
+[[csp-strict-mode]]
+=== Require a Content Security Policy
+
+{kib} uses a Content Security Policy (CSP) to prevent the browser from allowing
+unsafe scripting, but older browsers will silently ignore this policy. If your
+organization does not need to support very old
+versions of our supported browsers, we recommend that you enable {kib}'s
+`strict` mode for the CSP. This will block access to {kib}
+for any browser that does not enforce even a rudimentary set of CSP
+protections.
+
+To do this, set `csp.strict` to `true` in your `kibana.yml`:
+
+[source,js]
+--------
+csp.strict: true
+--------