Overview
The new universal login page is missing Content-Security-Policy, X-Frame-Options, and Referrer-Policy.
Cause
To render the login widget, the security header review tools must handle the Auth0 cookies and redirection. Often, these tools can handle the redirection but not cookies, causing Auth0 to return an error page instead of the login page. This causes security headers returned from Auth0 to work differently, leading to incorrect test results.
For example, when the login page is loaded successfully, Auth0 returns the following headers:
Alt-Svc:h3=":443"; ma=86400
Cache-Control: no-store, max-age=0, no-transform
Cf-Cache-Status: DYNAMIC
Cf-Ray: 88338403cb8479bb-LHR
Content-Language: en
Content-Security-Policy: frame-ancestors 'none'
Content-Type:text/html; charset=utf-8
Date: Mon, 13 May 2024 15:00:01 GMT
Etag: W/"809f-xpFDBq5a0RFDqirAwqfZKTMCRZY"
Expires: Mon, 13 May 2024 15:00:01 GMT
Pragma: no-cache
Referrer-Policy: same-origin
Server: cloudflare
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Auth0-Requestid: 9a1ed70299fbd87ce323
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Ratelimit-Limit: 20
X-Ratelimit-Remaining:19
X-Ratelimit-Reset: 1715612408
X-Robots-Tag: noindex, nofollow
X-Xss-Protection: 1; mode=block
When the cookies are discarded, the returned error page has the following headers:
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
Cf-Cache-Status: DYNAMIC
Cf-Ray:883386b9b95506a2-LHR
Content-Length: 2812
Content-Type: text/html; charset=utf-8
Date: Mon, 13 May 2024 15:01:52 GMT
Etag: W/"afc-wHmXbG6VyXRvV5HHdjpEriHpWJk"
Server: cloudflare
Set-Cookie: did=s%3Av0%3Abb4bcd90-1139-11ef-91e2-a3c1eca31273.RjFP1x2vyDIXt3xHWLwjc%2B0g8T2hAAtTsKelP7Ny0bw; Max-Age=31557600; Path=/; Expires=Tue, 13 May 2025 21:01:52 GMT; HttpOnly; Secure; SameSite=None
Set-Cookie:did_compat=s%3Av0%3Abb4bcd90-1139-11ef-91e2-a3c1eca31273.RjFP1x2vyDIXt3xHWLwjc%2B0g8T2hAAtTsKelP7Ny0bw; Max-Age=31557600; Path=/; Expires=Tue, 13 May 2025 21:01:52 GMT; HttpOnly; Secure
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Auth0-Requestid: 4a9534424ee28cefc863
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 20
X-Ratelimit-Remaining: 19
X-Ratelimit-Reset:1715612519
There are important differences between the headers. When the login page is rendered, Auth0 returns the Content-Security-Policy, X-Frame-Options, and Referrer-Policy, whereas these headers are missing when the error page is rendered.
Solution
Manually verify the returned headers by checking the network trace instead of relying upon web tools.