Our security team flagged a medium severity security concern with Auth0 login, during a penetration test on an app secured with Auth0. The concern is that the Auth0 login pages do not have Content Security Policy (CSP) setup, to defend against XSS injection. Please will you consider setting up Content Security Policy with your login web pages? Our team considered this recommended security practice, according to the principle of defense in depth.
Hey there @davidread!
Let me pass it to our security team and discuss further, potentially getting back with the info shortly!
1 Like
Can you just let me know what stack of ours / quickstart you have used?
Yes, it’s a regular web app - node app, so something like this: Auth0 Express SDK Quickstarts: Login
Thank you! Let me get back to you soon!
Our security team is reviewing your request. As soon as I have info from them, I’ll get back to you!
Security team asked if you can submit your concern to our responsible disclosure program here:
On the server side we do use CSP to prevent clickjacking. You can read about it here:
Thank you!
1 Like