Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
OWASP ZAP showing “Content Security Policy (CSP) Header Not Set” for Azure AD B2C /authorize endpoint — can this be fixed from application side?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 66%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIJ%3C/text%3E%3C/svg%3E)
Idumban, J (Jayaraj)
0
Reputation points
Hello Microsoft Team,
We are using Azure AD B2C for authentication in our ASP.NET web application through OpenID Connect.
During a recent OWASP ZAP security scan, we received the following finding:
"Content Security Policy (CSP) Header Not Set for
ZAP reports this as a Medium risk issue, recommending that a Content-Security-Policy header be included in the response.
However, since this endpoint is hosted under b2clogin.com (Microsoft-owned), we do not have control over its HTTP response headers.
Our application itself already includes a proper CSP header in all responses.
We would like to confirm the following points:
1)Is it expected that Microsoft’s Azure AD B2C authorize endpoint does not include a CSP header in its responses?
2)Is there any supported configuration in Azure AD B2C that allows us to add or customize response headers (like CSP) for the /authorize endpoint or login pages?
3)From a security compliance standpoint, can we safely mark this finding as “third-party managed” since the response originates from Microsoft’s B2C login domain, not our own?
4)Are there any official Microsoft statements or documentation confirming that we cannot modify CSP headers for the /authorize or token endpoints?
We use the following authentication flow:
Application: ASP.NET (C#)
Identity: Azure AD B2C
Protocol: OpenID Connect (/authorize → /token → redirect back to our app)
The CSP header is already added to all responses from our own app using <customHeaders> in Web.config.
Thank you in advance for clarifying whether this ZAP finding applies to us.
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 7.000000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC3%3C/text%3E%3C/svg%3E)
Carolyne-3676 956 Reputation points2026-02-03T09:29:32.3233333+00:00 I believe this this is expected behavior: the Azure AD B2C
/authorizeand related endpoints hosted on*.b2clogin.comare Microsoft‑managed, and customers cannot control or inject HTTP response headers (including CSP) for these endpoints. After reviewing the documentation, it appears B2C customization is limited to HTML/CSS/JS content only, not HTTP headers.
Sign in to comment
Sign in to answer