Auth0 New Universal Login Missing Some Security Headers
Last Updated:
Overview
The new universal login page is missing Content-Security-Policy, X-Frame-Options, and Referrer-Policy.
Applies To
- Universal Login
Cause
For example, when the login page is loaded successfully, Auth0 returns the following headers:
Alt-Svc:h3=":443"; ma=86400
Cache-Control: no-store, max-age=0, no-transform
Cf-Cache-Status: DYNAMIC
Cf-Ray: 88338403cb8479bb-LHR
Content-Language: en
Content-Security-Policy: frame-ancestors 'none'
Content-Type:text/html; charset=utf-8
Date: Mon, 13 May 2024 15:00:01 GMT
Etag: W/"809f-xpFDBq5a0RFDqirAwqfZKTMCRZY"
Expires: Mon, 13 May 2024 15:00:01 GMT
Pragma: no-cache
Referrer-Policy: same-origin
Server: cloudflare
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Auth0-Requestid: 9a1ed70299fbd87ce323
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Ratelimit-Limit: 20
X-Ratelimit-Remaining:19
X-Ratelimit-Reset: 1715612408
X-Robots-Tag: noindex, nofollow
X-Xss-Protection: 1; mode=block
When the cookies are discarded, the returned error page has the following headers:
Alt-Svc:h3=":443"; ma=86400
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
Cf-Cache-Status: DYNAMIC
Cf-Ray:883386b9b95506a2-LHR
Content-Length: 2812
Content-Type: text/html; charset=utf-8
Date: Mon, 13 May 2024 15:01:52 GMT
Etag: W/"afc-wHmXbG6VyXRvV5HHdjpEriHpWJk"
Server: cloudflare
Set-Cookie: did=s%3Av0%3Abb4bcd90-1139-11ef-91e2-a3c1eca31273.RjFP1x2vyDIXt3xHWLwjc%2B0g8T2hAAtTsKelP7Ny0bw; Max-Age=31557600; Path=/; Expires=Tue, 13 May 2025 21:01:52 GMT; HttpOnly; Secure; SameSite=None
Set-Cookie:did_compat=s%3Av0%3Abb4bcd90-1139-11ef-91e2-a3c1eca31273.RjFP1x2vyDIXt3xHWLwjc%2B0g8T2hAAtTsKelP7Ny0bw; Max-Age=31557600; Path=/; Expires=Tue, 13 May 2025 21:01:52 GMT; HttpOnly; Secure
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Auth0-Requestid: 4a9534424ee28cefc863
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 20
X-Ratelimit-Remaining: 19
X-Ratelimit-Reset:1715612519
There are important differences between the headers. When the login page is rendered, Auth0 returns the Content-Security-Policy, X-Frame-Options, and Referrer-Policy, whereas these headers are missing when the error page is rendered.