When the URL https://<AWI>:<SSLPort>/ is sent against the AWI module, the HTTPS response header does not contain the HSTS Strict-Transport-Security part. 

Response from URL call to the root path - https://<AWI>:<SSLPort>/ (not OK):

Response to URL call https://<AWI>:<SSLPort>/awi (OK):

Conclusion: The HSTS (Strict-Transport-Security Response Header) is only being sent on the "/awi" URL, but not at "/". 

The HSTS RFC (https://datatracker.ietf.org/doc/html/rfc6797) does not exclude HTTP 3xx responses from sending HSTS.

Even though exploiting this gap is very unlikely, security scanners consider this as a potential vulnerability.

In this article https://knowledge.broadcom.com/external/article/187684/awi-security-vulnerability-no-hsts-heade.html  we read the following:

Reproduction:

• Activate SSL in the Jetty AWI module
• Complete the configuration.properties with:

  http.security.sts.enabled=true
  http.security.sts.maxage=31536000

• In Google Chrome run a call to URL https://<AWI>:<SSLPort>/ and https://<AWI>:<SSLPort>/awi, use the Developer Tool to check the Response Header. Only the URL wit "/awi" contains the HSTS header.

Even though exploiting this gap is very unlikely, security scanners consider this as a potential vulnerability. This therefore considered to be a defect.

Solution:

Update to a fix version listed below or a newer version if available.

Fix version:

Component(s): Automic.Web.Interface

Automation.Engine 21.0.14 - first half 2025
Automation.Engine 24.4.0 - April 2025

The reference for this fix is DE155834