Question: I need to make sure requests to Auth0 use TLS 1.2 or later
Answer:
Requests to Auth0 can be broadly categorized in three categories:
- Requests coming from applications running in backend servers. These are apps like web servers or backend APIs that communicate with Auth0 directly (no browser involved).
-
Requests coming from the user’s browsers. This happens with:
- any web application that redirects the user to Auth0’s
/authorizeendpoint for things like authentication and MFA prompts. Also native (mobile/desktop) apps that open a system browser so that the user can authenticate. - Javascript code that talks to Auth0 directly (embedded login, token requests, obtain user information, and so on).
- any web application that redirects the user to Auth0’s
- Requests coming from users’s devices: these are requests initiated from native applications, running on phones, tables, or desktop computers.
Usually, you don’t have much control over the browser or devices that your users use. Fortunately, all modern browsers support TLS 1.2 by default (check this quick summary, or this Wikipedia page for a detailed rundown). The same is true for Android (see Default configuration for different Android versions) and iOS (TLS 1.2 supported since iOS 5).
The area where you need to focus most (and where you have control) is the first category, requests coming from applications running in backend servers, ensuring that each application talks to Auth0 using TLS 1.2 or greater. What you’ll need to do depends on the technology used, but it’s usually settings at the OS level (updating openSSL) or at the application level.
For example: