Any ideas / assist ?
It seems, must write (or find a pre-written ) filter to force hsts header on all jira requests for all/any ports on which request is made. jira site fails security scans for hsts port 8443. And, upon inspection, indeed hsts is not in header on :8443 requests.
adding “strict” hsts config settings in tomcat web.xml (see solutions all over web & nginx .conf file ) do place hsts in header for ports 80 & 443 ( good). But, no web.xml entry forces port 8443 to have hsts header (bad).
curl -IL http://:8443
curl -IL https://:8443
curl -sSL -D - | egrep -i strict
Strict-Transport-Security: max-age=31536000; includeSubDomains
Since no config answer works, only code solution (in form of filter) may work. Failing security scans is the problem. thx for assist.