Set Security Headers in All Authentication Pages
This article clarifies whether it is possible to set these security headers in all authentication pages:
- Content-Security-Policy
- X-Frame-Options
- Referrer-Policy
- Permissions-Policy
- Security Headers
- Authentication Pages
By default, Auth0 does not allow setting additional headers beyond those it already provides.
However, when using a Reverse Proxy (also referred to as Custom Domains with Self-Managed Certificates), it becomes possible to add or modify headers as needed. Since all network traffic flows through the Reverse Proxy, headers can be injected or adjusted at that layer.
Some organizations may choose to implement additional headers, such as Content-Security-Policy, to enhance the security of Classic Universal Login. Please note that requests bypassing the Reverse Proxy (for example, calls to the Management API or Dashboard) will not have these headers applied. These endpoints, however, are not accessed by end users and therefore pose less risk.
Related References
