We recently conducted a security audit, during which two issues were flagged related to our use of Universal Login:
- HSTS enforcement.
- Content-Security-Policy directives to prevent script injection attacks.
However upon reviewing traffic between the application and the authorization server, I observed that all communication occurs over HTTPS. However, the audit specifically flagged the lack of HSTS enforcement on the authorization server. Could this issue be related to the domain not being preloaded in the HSTS preload list, or is there another reason HSTS might be reported as missing?
For the Content-Security-Policy concern, I noticed the Universal Login page includes a directive to prevent iframe loading, but the audit indicated there were no directives explicitly addressing script injection.
How can I configure or extend the directives for the Universal Login page to address this security concern and mitigate the flagged vulnerability? Thank you in advance!