SCIM bridge Missing Web Security Headers

Community Member
edited March 27 in SCIM Bridge

One of our external security testing tools has highlighted two issues with web security best practices missing from the SCIM bridge app.

-Missing HSTS Headers
-Missing Permissions Policy

These can be seen by putting the scim bridge url into:

Are there any plans to implement these headers into the SCIM bridge app?

SCIM bridge version version: 2.9.1

See image below for the results from ours.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided


  • Hi @Saqibs

    Thanks for writing in.

    Regarding HSTS for the SCIM bridge, this is something we have trialled internally, which yielded two issues we have considered at length.

    It interfered with our model on Let’s Encrypt TLS certificates, which many customers rely on.
    Identity providers do not check for HSTS headers when connecting to the 1Password SCIM Bridge, as HSTS is an entirely browser-based security feature. The SCIM bridge UI is not something our customers use daily. Therefore, after we obtained all the testing results, it was decided not to include HSTS as most of the interactions with the SCIM bridge originated from the IdP where HSTS is not within the API messages.

    Regarding Permissions Policy header, Feature-Policy header has had its name changed to Permission-policy, but otherwise there has been no change in functionality. Currently, browsers have support for this header at both the previous name and new name. With that said, we always thrive to keep up-to-date, and we have this issue on our radar in near future.

    I hope this address your concern. Let me know if you have any questions.