Clickjacking Protection for Universal Login Change

Clickjacking is an attack that tricks a user into clicking a web page element which is invisible or disguised as another element. This is done by loading content in an iframe and rendering elements on top of it. In the context of the Universal Login pages, an attacker could trick the user into clicking a Login, or Reset Password button.

This can be prevented by setting the following HTTP headers:

X-Frame-Options: deny Content-Security-Policy: frame-ancestors 'none'

Even if the potential attack does not entail significant risk, it's a good security practice to add the headers. It is also detected by security scanners, so reports from penetration testers might mention the lack of these headers.


In cases where you render the login page in an iframe, adding these headers could be a breaking change. Instead of adding these headers for all customers, therefore, Auth0 has allowed you to opt-in for these headers, which we strongly recommend you to enable.

The following action is not required if you are using the New Universal Login Experience because those headers are always set in that case.

To opt in to this change:

  1. Go to Tenant Settings > Advanced Settings.

  2. Scroll to Migrations, and turn off the Disable clickjacking protection for Classic Universal Login setting.