I think that you have unfortunately entered the long outstanding Kibana header hell 
I am 99% sure, but have either @sscarduzio or @ld57 confirm it.
If that is the case, go through the below links.
Kibana sometimes sends HTTP requests to Elasticsearch without credentials
Temp relief can be achieved through below approach. See the warning also.
Hack ACL Rule for Kibana