Exposed Ports in Content-Security-Policy Headers
Jan 9, 2026
API Access Management
Okta Identity Engine
Overview
In Okta Identity Engine (OIE), the Content-Security-Policy headers contain entries for localhost and authenticatorlocalprod.com with exposed port numbers:
Applies To
- Okta Identity Engine (OIE)
- Content Security Policy (CSP)
Solution
These entries are for device authenticators, and their exposure is not a vulnerability.
If DNS Rebinding protection is enabled, users on unmanaged devices may experience issues with phishing resistance policy requirements. An exception on the DNS Server/Router for localhost and authenticatorlocalprod.com may be necessary.
