We upgraded to Directory Server 12 Fall 2025 from the Spring 2025 release over the weekend. One of our sets of servers that hosts Forms and the Web Client are on a different domain. When we first tried to log in to the Web Client we were presented with this error:

I remembered reading in the release notes that the Web Client had some security updates:

• UI for setting HSTS and other security options, with secure defaults.

This is similar to an update to LFDS a while back where you needed to add domains to the Content-Security-Policy header section of the STS configuration page. You will need to go to the Web Client configuration page and select the Security tab on the left, check to "Enable the Content Security-Policy header to provide an additional layer of protection against XSS attacks" and then add your domains to the list already provided. Do not remove the values already listed because they are used by the Web Client. Removing them may cause other issues within the product.

Just wanted to put this out there for anyone else that may run into this.