Hello, @andreas.drexler Florida Blue
To selectively disable clickjacking protection for a specific domain in Auth0, you can utilize the Tenant Settings in your Auth0 dashboard. Here’s a high-level approach to how you can achieve this:
Navigate to Tenant Settings in your Auth0 dashboard.
Go to the Advanced Settings section.
Scroll down to the Migrations area.
Here, you should find an option to Disable clickjacking protection for Classic Universal Login.
By toggling this setting, you can opt-in for headers that prevent your Universal Login pages from being embedded into an iframe, which is a common clickjacking technique. However, this setting is global and not domain-specific.
Currently, Auth0 documentation does not indicate the availability of domain-specific settings for clickjacking protection. If you need this functionality to be domain-specific, you might need to implement custom logic within your application to handle the security headers conditionally based on the domain of the incoming request.
For example, you could configure your web server or reverse proxy to modify the X-Frame-Options and Content-Security-Policy headers based on the domain making the request. This would allow you to enable or disable clickjacking protection dynamically.
If this feature is critical for your use case and you’re unable to achieve the desired functionality with the current Auth0 features, consider reaching out to Auth0 support or submitting a feature request through their feedback channels. Auth0 values user input and often updates its offerings based on customer needs and feedback.
Remember to test any changes thoroughly to ensure that they do not inadvertently weaken the security of your application. It’s also advisable to consult with a security expert when making changes to authentication and session management mechanisms.
I hope my suggestion is helpful for you.
Best Regard,
Stephen378Baker