Last Updated: Nov 25, 2024
Overview
This article clarifies whether it is possible to set these security headers in all authentication pages
- Content-Security-Policy
- X-Frame-Options
- Referrer-Policy
- Permissions-Policy
Applies To
- Security Headers
- Authentication Pages
Solution
By default, it is not possible to set any headers beyond what is already set by Auth0.
It is possible to add or modify the headers as needed for scenarios when a Reverse Proxy is used (aka “Custom Domains with Self-Managed Certificates”) - all network calls would flow through their Reverse Proxy and, thus, it is possible to add headers as needed.
Some may choose to implement these headers (e.g., specifically adding the “Content-Security-Policy” header) for a more secure Classic Universal Login implementation. Note that any calls that do not go through Reverse Proxy (Management API or Dashboard calls) will not have these headers applied - but these endpoints are not accessed by end users and are less of a concern.