Hi all, Today we received the results of a security assessment of our application, and concerns were raised about Auth0’s universal login (via custom and default domain) setting the value of the X-XSS-Protection header to 1 instead of the recommended value of 0. We would recommend that this either …

Universal Login response headers not compliant (X-XSS-Protection)

ivanp July 7, 2025, 2:37am 3

Owasp classifies this as an issue, our pentesting picked this up and we do not have any instruments to actually fix this:

Topic		Replies	Views
Is there anyway to update HTTP header in auth0 hosted page? Get Help auth0	4	3936	February 23, 2019
Auth0 New Universal Login Missing Some Security Headers Knowledge Articles new-universal-login , missing , security-headers	1	424	May 20, 2024
X-Content-Type-Options Header Missing Get Help security	0	3305	April 29, 2020
Prevent iframe clickjacking (using X-Frame-Options header) Get Help security	4	4183	September 2, 2019
Clickjacking via iframes Get Help security	5	4568	August 29, 2019