Content Security Policy Headers Not Present on Universal Login Redirect Endpoints

Overview

This article explains why security headers, such as X-Frame-Options and Content-Security-Policy, are not present for certain Universal Login flow endpoints like /authorize or /v2/logout

Applies To

  • Universal Login
  • Content Security Policy
  • X-Frame-Options

Cause

The X-Frame-Options and Content-Security-Policy headers apply to the contents of an HTTP document. The affected authorization flow endpoints are designed to issue a redirect (response code: 302) and do not serve any document content. Because there is no content for the security policies to evaluate, the headers are not included.

Solution

This behavior is by design, and no action is required to be taken. The security headers are intentionally omitted from endpoints that only issue a redirect, as there is no content to which the policies would apply.