Good news everyone, we have just added Clickjacking Projection in the Classic Universal Login Experience! This addresses a low-risk security vulnerability that has been reported by pen-testers and customers.
What is Clickjacking?
As described in the below Clickjacking Protection documentation:
Clickjacking is an attack that tricks a user into clicking a web page element which is invisible or disguised as another element. This is done by loading content in an iframe and rendering elements on top of it. In the context of the Universal Login pages, an attacker could trick the user into clicking a ‘Login’, or ‘Reset Password’ button.
What do I need to do with Clickjacking Protection?
Given it is a potential breaking change, we added a migration flag in Tenant Settings / Advanced / Migrations.
The flag is turned ON by default for existing tenants and OFF for new ones. In the near future, we’ll remove the option of turning it ON for new tenants.
When the flag is OFF, the following headers HTTP are added:
X-Frame-Options: deny
Content-Security-Policy : frame-ancestors 'none'
It’s important to note that the flag only applies to Classic Universal Login, customers using the New Universal Login always get the headers.
Supporting Documentation