Does IdentityServer4 have CSRF protection out of the box or do we need to configure anything to enable/strengten it? I have seen "state" value passed around between /connect/authorize and /signin-oidc but I'm not sure if it's enough. We are using hybrid flow with no consent page(internal application) and ASP.NET MVC OIDC if it's important.
As required by the spec - IdentityServer echoes back the state parameter.
The real protection happens in the logic of the client library - e.g. the Microsoft OIDC middleware (which is a protected).
If you are building your own client library you have to build that logic yourself.