Hi, my company is considering using auth0 for authentication in our Flask and React application. However we are not security experts and have some concerns.
We have gone through the Flask + React guide from 02/22 and have found it useful for getting setup. But we are unsure of several things. For a couple examples:
-
Why is X-XSS-Protection response header set to 0? Doesn’t this disable a cross-site-scripting protection? Why would we want to disable this?
-
Why is cache disabled?
-
Why is Talisman setting force_https: False, yet the response header Strict-Transport-Security is added?
We realize not all of these questions directly apply to auth0, but hoping to get some help from the community.