Our security team flagged a medium severity security concern with Auth0 login, during a penetration test on a regular web app secured with Auth0. The concern is about the potential for click-jacking. Whilst I’ve already asked about CSP as one defense, it is also suggested to add this header in your login web pages to prevent them opening in iframes:
Instead of adding these headers for all customers, therefore, Auth0 has added an opt-in for these headers which we strongly recommend you to enable.
You can do this by navigating to Tenant Settings > Advanced Settings, scrolling to ‘Migrations’, and turning OFF the ‘Disable clickjacking protection for Classic Universal Login’ setting. This action is not required if you are using the New Universal Login Experience as those headers are always set.
If you still have concerns, please use our Responsible Disclosure Program for anything that might be a security vulnerability. Auth0: Secure access for everyone. But not just anyone.. In fact, this should always be the first contact point for any security concerns.