The vulnerability tool shows that the Jetty web server has the vulnerability even if the web server is configured to use HTTPS.
Plugin Text- <plugin_output> The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header. </plugin_output>
Release : 21.0.4
The message below is just an information message only and it does not mean that it is vulnerable to any attacker. The vulnerability is that when HTTPS is enabled and HTTP is also available then the information is still sent across HTTP and an attacker would be able to see and alter all transferred data. By explicitly turning off HTTP (setting http.enabled to false) on the Jetty web server, the vulnerability is no longer exploitable as no HTTP communication is set.