Is there a way to prevent Auth0 login pages to be presented in an iframe? For non Auth0 pages, one would set the X-Frame-Options header to DENY. But can those headers be set on an Auth0 login page as well?
2 Likes
From a technical point of view it’s possible for you to include that header if you can use a custom domain with self-managed certificates (Configure Custom Domains with Self-Managed Certificates). However, this is mostly because in that flow you have to have a reverse proxy which could add HTTP headers.
In addition, the use of that approach does not prevent the original tenant domain to be accessed and if accessed through that domain the header would not be present.
I can also let you know that we tracking this particular situation and have intentions to include additional headers like the one you mentioned by default, however, this would technically be a breaking change so there’s some additional consideration to this process.
It would be very nice if we could specify arbitrary headers ourselves somewhere in the Auth0 config. That would mean no breaking changes for customers. We can already customize the HTML for the login pages, why not the HTTP headers as well?
I think (personal opinion) that allowing arbitrary headers would be a bit too much, but I understand that having some configurability could be interesting. However, it’s the configurability part that leads to additional considerations mentioned above. In software going from completely controlled by the service to even just the smallest bit of configurability it’s a huge gap to cover.
Not saying that it should not be done, just calling the attention to the fact that sometimes in software the smallest functional change requires an enormous behind the scenes refactoring.
As I mentioned, we are already tracking this situation from the perspective of the service providing additional headers by default including this one. However, if you’re looking to go further and have additional control you should leave your feedback at Auth0: Secure access for everyone. But not just anyone. as that goes straight to the product team.