Hi igor,
You probably won't believe your eyes when you see these asafaweb scan results:
https://asafaweb.com/Scan?Url=www.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D41138Insecure server settings at Microsoft Download Center:
1. Excessive headers warning: Result
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET, ARR/2.5
X-AspNet-Version: 4.0.30319
2. Clickjacking warning
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.
Result
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.
From a website like Microsoft I at least expected that they used best security server configuration practices.
This means a disillusion for me,
polonus