This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 94%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
We're running ADFS on Windows Server 2019, with the appropriate headers enabled. Much like this prior question, we need to have ADFS return a header, showing HSTS enabled, rather than a 404, if the root is called -- i.e., https://adfs.url.com. HSTS shows as enabled for a valid endpoint, such as https://adfs.url.com/adfs/ls/IdpInitiatedSignon.aspx, but our vulnerability auditors insist on calling the root. Any ideas?
There is nothing behind the "root" URL. What would be the value of enabling HSTS on an endpoint which do not serve any query?
It seems to me that it's rather a tool problem, and not a security problem.
I don't disagree.
However, some of us are scanned by, um, other organizations that mandate HSTS but their tools only query the root :(
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 24%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E9%3C/text%3E%3C/svg%3E)
I had the same issue/question for few weeks - Configure HSTS for AD FS
There is no way to modify the behavior. Work as designed by microsoft.