Clickjacking Protection for Universal Login Change
Clickjacking is an attack that tricks a user into clicking a web page element which is invisible or disguised as another element. This is done by loading content in an iframe and rendering elements on top of it. In the context of the Universal Login pages, an attacker could trick the user into clicking a Login, or Reset Password button.
This can be prevented by setting the following HTTP headers:
X-Frame-Options: deny
Content-Security-Policy: frame-ancestors 'none'
Even if the potential attack does not entail significant risk, it's a good security practice to add the headers. It is also detected by security scanners, so reports from penetration testers might mention the lack of these headers.
Actions
In cases where you render the login page in an iframe, adding these headers could be a breaking change. Instead of adding these headers for all customers, therefore, Auth0 has allowed you to opt-in for these headers, which we strongly recommend you to enable.
The following action is not required if you are using the New Universal Login Experience because those headers are always set in that case.
To opt in to this change:
Scroll to Migrations, and turn off the Disable clickjacking protection for Classic Universal Login setting.