I noticed that that Management API now supports sending a security_headers field on the Update Tenant Settings API, which apparently allows for the configuration of Content-Security-Policy and other security related items.
What I have not been able to find out, is what does this actually control? I tried applying a policy to my tenant and reviewed the headers returned by the Universal Login and Password Reset pages. Unfortunately I can’t seem to get it to produce any changes. I also cannot find any documentation on the topic other than API documentation linked above.
Are these features not fully rolled out yet? What do/will they actually control? Will it extend to the Universal Login page? We’ve had an open action item on our end to apply a stricter CSP to satisfy some pen-test requirements and we were pleased to see the new settings in hopes that it would extend to those pages.