minor corrections

Author: tdykstra

aspnetcore/release-notes/aspnetcore-10.0.md

@@ -89,6 +89,8 @@ For more information, see [ASP.NET Core Authorization and Authentication metrics
 
 This section describes miscellaneous new features in .NET 10.
 
+[!INCLUDE[](~/release-notes/aspnetcore-10/includes/httpsys.md)]
+
 [!INCLUDE[](~/release-notes/aspnetcore-10/includes/testAppsTopLevel.md)]
 
 [!INCLUDE[](~/release-notes/aspnetcore-10/includes/jsonPatch.md)]
@@ -113,9 +115,6 @@ if (RedirectHttpResult.IsLocalUrl(url))
 
 Thank you [@martincostello](https://github.com/martincostello) for this contribution!
 
-<!-- This include file is H2 -->
-[!INCLUDE[](~/release-notes/aspnetcore-10/includes/httpsys.md)]
-
 ## Related content
 
 <xref:servers/httpsys>

aspnetcore/release-notes/aspnetcore-10/includes/httpsys.md

@@ -1,19 +1,19 @@
-## Customizable security descriptors for HTTP.sys
+### Customizable security descriptors for HTTP.sys
 <!--PR: https://github.com/dotnet/aspnetcore/pull/61325-->
-<!-- This section was deliberately made H2 -->
+
 You can now specify a custom security descriptor for HTTP.sys request queues. The new `[RequestQueueSecurityDescriptor](https://source.dot.net/#Microsoft.AspNetCore.Server.HttpSys/HttpSysOptions.cs,a556950881fd2d87) property on <xref:Microsoft.AspNetCore.Server.HttpSys.HttpSysOptions> enables more granular control over access rights for the request queue. This granular control lets you tailor security to your application's needs.
 
-### Why customizability matters
+#### Why customizability matters
 
 HTTP.sys relies on a security descriptor for access control. This descriptor determines which users or groups are allowed to access specific HTTP URLs.
 
 By customizing the security descriptor, you can allow or deny specific users or groups access to the request queue. This is useful in scenarios where you want to restrict or delegate HTTP.sys request handling at the operating system level.
 
-### How to Customize a descriptor
+#### How to Customize a descriptor
 
-The `RequestQueueSecurityDescriptor`property applies only when creating a new request queue. This property doesn't affect existing request queues.
+The `RequestQueueSecurityDescriptor` property applies only when creating a new request queue. This property doesn't affect existing request queues.
 
-Set the `RequestQueueSecurityDescriptor` property to a `GenericSecurityDescriptor` instance when configuring your HTTP.sys server. For example, to allow all authenticated users but deny guests:
+Set the `RequestQueueSecurityDescriptor` property to a <xref:System.Security.AccessControl.GenericSecurityDescriptor> instance when configuring your HTTP.sys server. For example, to allow all authenticated users but deny guests:
 
 ```csharp
 using System.Security.AccessControl;
@@ -51,6 +51,4 @@ builder.WebHost.UseHttpSys(options =>
 });
 ```
 
-### Related content
-
-<xref:fundamentals/servers/httpsys>
+For more information see <xref:fundamentals/servers/httpsys>.