The customer has a Tenable vulnerability scanner that is generating an alert that the HCX Manager web server (port 443) is not enforcing HSTS

The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

Tenable is querying "https://<hcx-ip>” which is not returning STS header since it is 302 redirect. None of the security headers are added for 302 re-direct 

This has been fixed by adding `always` in the config file to the below line in /opt/vmware/config/apache-http/hcx-virtual-hosts.conf

Below is an example of the line before modification:

Header set Strict-Transport-Security "max-age=31536000 ; includeSubDomains"

And After:

Header always set Strict-Transport-Security "max-age=31536000 ; includeSubDomains"

None. There is no security impact