Universal Login response headers not compliant (X-XSS-Protection)

Richie · December 17, 2024, 5:02pm

Hi all,

Today we received the results of a security assessment of our application, and concerns were raised about Auth0’s universal login (via custom and default domain) setting the value of the X-XSS-Protection header to 1 instead of the recommended value of 0. We would recommend that this either be changed or an option be given to allow this to be configured.

As links are disabled, sources can be found on Mozilla’s developer docs, OWASP’s cheatsheets series, and some articles by searching “x-xss-protection 0”.

dawid.matuszczyk · December 30, 2024, 11:13pm

Hi @Richie

Welcome to the Auth0 Community, and thank you for your feedback! Make sure to upvote it so that it gets as much attention as possible.

Dawid

Topic		Replies	Views
Is there anyway to update HTTP header in auth0 hosted page? Help auth0	4	3887	February 23, 2019
Auth0 New Universal Login Missing Some Security Headers Knowledge Articles new-universal-login , missing , security-headers	1	293	May 20, 2024
Flask+React Guide Questions Help security-question-concern , security-compliance	0	166	June 19, 2024
Security of universal login Help auth0	2	1789	March 10, 2022
Clickjacking via iframes Help security	5	4528	August 29, 2019

Universal Login response headers not compliant (X-XSS-Protection)

Related topics