Penetration test shows that HSTS Missing From HTTPS Server (OCR Server )
OCR server uses Tomcat to handle the REST request sent by Detection server.
This vulnerability does not affect the OCR server.
This is a false positive since this HSTS header is required for browser clients communication.
In this communication, OCR system is “Server” and DLP detection server is “Client”. OCR server handles requests from the detector in the very strict and specified format and responds only on such requests and no other.
DLP detection server is not a browser-based client. Hence the above vulnerability does not affect OCR detection server.