IdentityServer incorporates the use of Content Security Policy (CSP) for all HTML pages displayed.


IdentityServer3 allows the hosting application to configure a CspOptions on the IdentityServerOptions to control the CSP behavior. Below are the settings that are configurable:

CSP allows for a reporting endpoint to be configured. IdentityServer provides a CSP report endpoint which is described here.