During a penetration test we identified the "HSTS Missing From HTTPS Server" vulnerability.  How can this issue be resolved?

Release : 14.3 CP2, 14.4

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

The HTTP Strict-Transport-Security response header (HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

This is negated in IM by the use of "Upgrade-Insecure-Requests". 

The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.

In both approaches, the browser is forced to make a secure connection with the server.