A Penetration test has identified the following:

Set the StrictTransportSecurity header to: “maxage=31536000”. If all subdomains require HTTPS, set the StrictTransportSecurity header to: “maxage=31536000; includeSubDomains”.

Release : All Supported Releases
Component : SPCOCK - OneClick

Edit the <SPECROOT>/tomcat/conf/web.xml file and change this section:

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
                <param-name>antiClickJackingOption</param-name>
                <param-value>SAMEORIGIN</param-value>
        </init-param>
</filter>

to

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
                <param-name>antiClickJackingOption</param-name>
                <param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
                 <param-name>hstsMaxAgeSeconds</param-name>
                 <param-value>31536000</param-value>
        </init-param>
                <async-supported>true</async-supported>
</filter>

Save the file and restart tomcat.