Auth0 Home Blog Docs

Insecure HTTP headers



During our security review we figured out that.
Response header is exposing technology used:


Strict transport layer security and other headers are missing:

Strict-Transport-Security:max-age=15552000; includeSubDomains
X-XSS-Protection:1; mode=block


The HSTS header should be there although at this time it does not include the sub-domains option. In relation to the other situations you should update the question with the relevant endpoints that you tested and where you observed each behavior.