Comments (2)
We will close this issue now. Please reopen if you would like additional follow-up.
from windowsserverdocs.
We will close this issue now. Please reopen if you would like additional follow-up.
Issue has not been addressed, nor can I re-open a closed issue myself. I don't see why you've closed it.
The page here https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs still misses the point and erroneously states:
As a result, AD FS effectively mitigates the threats that HTTP Strict Transport Security policy mechanism provides (by default there is no downgrade to HTTP since there are no listeners in HTTP).
This was incorrect in 2017, and it's still incorrect today. The threat isn't mitigated by having no HTTP listeners, since the whole point is to protect against an active MitM (which can respond to the SYN on port 80 and then the browser will treat the server as if it did have an HTTP listener!).
Maybe it would be easier if I just opened a PR?
from windowsserverdocs.
Related Issues (20)
- Do not download Perfomance Tunning IIS HOT 2
- Configuring Microsoft: EAP-TEAP on Windows 10
- Failed Foreign Disk Import HOT 1
- Spelling update HOT 1
- dy HOT 1
- SplitBrainRecursionPolicy is not working
- SID binary format structure diagram
- Path needs to be updated. HOT 2
- command "where /r c:\ test" doesn't work HOT 2
- Old best practices die Hard HOT 1
- Conflicting information on Security DFS on a DC - Good practice? HOT 1
- Note about ports requirement for using access denied assistance service
- -max is in the example but not the detailed list of parameters
- Cluster level for Server 2022 is missing
- Typo in "Available job-wide settings" section HOT 2
- Cloud witness on Windows 2016 uses TLS 1.0
- Provided URL doesn't resolve
- nc HOT 3
- d HOT 2
- Correction to item under "The following features are only available with ReFS:"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from windowsserverdocs.