We want to use the Jetty server instead of the Tomcat server.

Is there any technical documentation regarding security settings (Broadcom's defaults and defaults), Broadcom's testing of a new version, or hardening the Jetty Server?

Specifically:

Question 1: When there is a new Automic release, how is the Jetty server tested with the new release?

Question 2: When there is a new Automic release, is there always a new version of the Jetty server in parallel?

Question 3: How can the Jetty server be hardened, for instance in the case of a banking environment?

Question 4: What is different with the delivered Jetty server (configuration and program-technically) compared to the standard version?

Release : 21.0.7

Question 1: When there is a new Automic release, how is the Jetty server tested with the new release?

Broadcom is running the standard tests on functionality complemented with penetration tests.
The linked document describes the Broadcom Secure SDLC in more detail.

Question 2: When there is a new Automic release, is there always a new version of the Jetty server in parallel?

On new feature versions, we upgrade the embedded jetty to the latest version
Service Pack releases, we update Jetty whenever there is a vulnerability

Question 3: How can the Jetty server be hardened, for instance in the case of a banking environment?

Configure SSL in the AWI configuration properties.
It is general, best practice to not expose the web servers to the user directly, but to use your in-house reverse proxy for that.

Question 4: What is different with the delivered Jetty server (configuration and program-technically) compared to the standard version?

We set the following settings that are not on by default in an embedded jetty:

disable sendServerVersion, sendXPoweredBy
enable httpOnlyCookies