The JCP Rest response does not include the headers defined on UC_HTTP_RESPONSE_HEADERS for the request performed just to the JCP REST port as the security scanners like Nessus perform:
See below the comparison with a regular JCP where these headers are indeed provided in the response:

JCP:

curl -k -i https://localhost:8443
HTTP/1.1 200 OK
Date: Thu, 13 Nov 2025 09:55:27 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: maxage=6307200;includeSubDomains
X-Content-Type-Options: nosniff
Content-Length: 18

WebSocket deployed

JCP REST on the port:

curl -k -i http://localhost:8088
HTTP/1.1 200 OK
Date: Thu, 13 Nov 2025 09:59:47 GMT
Content-Length: 17

REST API deployed

JCP REST on some REST API endpoint like on /ae/api/v1:

curl -k -i http://localhost:8088/ae/api/v1
HTTP/1.1 303 See Other
Date: Thu, 13 Nov 2025 11:06:20 GMT
Location: http://localhost:8088/ae/api/v1/openapi2/index.html
Strict-Transport-Security: maxage=6307200;includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 0

Expected behavior: same as JCP, JCP REST should return the security headers, no matter what the endpoint is
Actual behavior: the JCP REST does not return the security headers when just testing the port with a query like "curl -k -i http://ae_hostname:8088" but it does with "curl -k -i http://ae_hostname:8088/ae/api/v1"

Automation Engine 24.x

Component: JCP REST API

DE178776

The issue has been confirmed to be a defect by our Engineering team.
A fix will be provided in a future version.