Overview
This article explains why security headers, such as X-Frame-Options and Content-Security-Policy, are not present for certain Universal Login flow endpoints like /authorize or /v2/logout
Applies To
- Universal Login
- Content Security Policy
- X-Frame-Options
Cause
The X-Frame-Options and Content-Security-Policy headers apply to the contents of an HTTP document. The affected authorization flow endpoints are designed to issue a redirect (response code: 302) and do not serve any document content. Because there is no content for the security policies to evaluate, the headers are not included.
Solution
This behavior is by design, and no action is required to be taken. The security headers are intentionally omitted from endpoints that only issue a redirect, as there is no content to which the policies would apply.