Content Security Policy

davidread · August 12, 2019, 10:44am

Our security team flagged a medium severity security concern with Auth0 login, during a penetration test on an app secured with Auth0. The concern is that the Auth0 login pages do not have Content Security Policy (CSP) setup, to defend against XSS injection. Please will you consider setting up Content Security Policy with your login web pages? Our team considered this recommended security practice, according to the principle of defense in depth.

konrad.sopala · August 12, 2019, 11:20am

Hey there @davidread!

Let me pass it to our security team and discuss further, potentially getting back with the info shortly!

konrad.sopala · August 12, 2019, 11:26am

Can you just let me know what stack of ours / quickstart you have used?

davidread · August 12, 2019, 11:38am

Yes, it’s a regular web app - node app, so something like this: Auth0 Express SDK Quickstarts: Login

konrad.sopala · August 12, 2019, 11:39am

Thank you! Let me get back to you soon!

konrad.sopala · August 14, 2019, 2:47pm

Our security team is reviewing your request. As soon as I have info from them, I’ll get back to you!

konrad.sopala · August 14, 2019, 3:03pm

Security team asked if you can submit your concern to our responsible disclosure program here:

On the server side we do use CSP to prevent clickjacking. You can read about it here:

Thank you!