Set Security Headers in All Authentication Pages

Problem Statement

Is it possible to set below security headers in all authentication pages?

Content-Security-Policy
X-Frame-Options
Referrer-Policy
Permissions-Policy

Solution

By default, it is not possible to set any headers beyond what is already set by Auth0.

You can add or modify the headers as needed for scenarios when a Reverse Proxy is used (aka “Custom Domains with Self-Managed Certificates”). All network calls would flow through their Reverse Proxy. Therefore you can add headers as needed.

You may choose implement these headers (e.g. specifically adding the “Content-Security-Policy” header) for a more secure UL Classic implementation. Note that any calls that do not go through Reverse Proxy (Management API or Dashboard calls) will not have these headers applied. But these endpoints are not accessed by end users and are less of concern.