The vulnerability tool shows that the Jetty web server has the vulnerability even if the web server is configured to use HTTPS.
Plugin Text- <plugin_output> The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header. </plugin_output>
A scan tool could also show: HTTP Strict Transport Security (HSTS) Policy Not Enabled
Release : 21.0.4
The message below is just an information message only and it does not mean that it is vulnerable to any attacker.
The vulnerability happens when both HTTPS and HTTP are enabled. When this is the case, the information is still sent across HTTP and an attacker would be able to see and alter all transferred data.
By explicitly turning off HTTP (setting http.enabled to false) on the Jetty web server (in the configuration.properties file), the vulnerability is no longer exploitable as no HTTP communication is set.