diff --git a/src/cli/serve/read_yaml_config.js b/src/cli/serve/read_yaml_config.js
index 2bad080edd59e..45da90aacd62b 100644
--- a/src/cli/serve/read_yaml_config.js
+++ b/src/cli/serve/read_yaml_config.js
@@ -35,6 +35,10 @@ let legacySettingMap = {
   verify_ssl: 'elasticsearch.ssl.verify',
 };
 
+const deprecatedSettings = {
+  'server.xsrf.token': 'server.xsrf.token is deprecated. It is no longer used when providing xsrf protection.'
+};
+
 module.exports = function (path) {
   if (!path) return {};
 
@@ -50,6 +54,10 @@ module.exports = function (path) {
     }
   }
 
+  _.each(deprecatedSettings, function (message, setting) {
+    if (_.get(file, setting)) console.error(message);
+  });
+
   // transform legeacy options into new namespaced versions
   return _.transform(file, function (config, val, key) {
     if (legacySettingMap.hasOwnProperty(key)) {
diff --git a/src/server/config/schema.js b/src/server/config/schema.js
index 93550a9635364..ac86641430671 100644
--- a/src/server/config/schema.js
+++ b/src/server/config/schema.js
@@ -44,6 +44,7 @@ module.exports = () => Joi.object({
     }),
     xsrf: Joi.object({
       disableProtection: Joi.boolean().default(false),
+      token: Joi.string().optional().notes('Deprecated')
     }).default(),
   }).default(),