We have deployed PAM 4.2.0-1 and are scanning the system for vulnerabilities with the Tenable Nessus system. It is detecting the vulnerability with plugin #142960 (called HSTS Missing From HTTPS Server (RFC 6797)).
Normally, this is an easy fix for Apache, Tomcat, or IIS implementations. However, PAM appears to use some sort of custom HTTP/HTTPS server, and we're unable to locate a configuration file to enforce the Secure Transport Settings that are reflected in HTTP headers and allow the system to scan clean of vulnerabilities. Have any other users found any solution? We have opened a case with support. Thus far, they've been unable to help and are in contact with the PAM development team.