Feature request: Disable clickjacking protection for a specific domain only

Disable clickjacking protection for a specific domain only

This feature request proposes enhancing Auth0’s clickjacking protection functionality to allow for selective disabling/enabling of protection on a per-domain basis. This would offer users finer control over security measures, enabling them to disable clickjacking protection only for specific trusted domains while keeping it enabled for others.

We have an admin portal with sensitive admin functions. We want to add an extra layer of security by requiring Multi-Factor Authentication (MFA) before users can perform these actions. To seamlessly integrate the MFA prompt into your website via an Iframe, we need to disable clickjacking protection - but only for the domain of our admin portal. This will ensure that the rest of our website remains protected against clickjacking threats while users go through MFA.

Hello, @andreas.drexler Florida Blue

To selectively disable clickjacking protection for a specific domain in Auth0, you can utilize the Tenant Settings in your Auth0 dashboard. Here’s a high-level approach to how you can achieve this:

Navigate to Tenant Settings in your Auth0 dashboard.
Go to the Advanced Settings section.
Scroll down to the Migrations area.
Here, you should find an option to Disable clickjacking protection for Classic Universal Login.

By toggling this setting, you can opt-in for headers that prevent your Universal Login pages from being embedded into an iframe, which is a common clickjacking technique. However, this setting is global and not domain-specific.

Currently, Auth0 documentation does not indicate the availability of domain-specific settings for clickjacking protection. If you need this functionality to be domain-specific, you might need to implement custom logic within your application to handle the security headers conditionally based on the domain of the incoming request.

For example, you could configure your web server or reverse proxy to modify the X-Frame-Options and Content-Security-Policy headers based on the domain making the request. This would allow you to enable or disable clickjacking protection dynamically.

If this feature is critical for your use case and you’re unable to achieve the desired functionality with the current Auth0 features, consider reaching out to Auth0 support or submitting a feature request through their feedback channels. Auth0 values user input and often updates its offerings based on customer needs and feedback.

Remember to test any changes thoroughly to ensure that they do not inadvertently weaken the security of your application. It’s also advisable to consult with a security expert when making changes to authentication and session management mechanisms.

I hope my suggestion is helpful for you.

Best Regard,

I think this topic is related (but focuses on NUL):
Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login - Auth0 Community