When performing a security scan HSTS is not enabled at the root level. It is required to have it enabled.
Example:
https://domain:5814/
Does not show HSTS enabled
But in the URL:
domain:5814/.../login
Has HSTS Response Headers enabled
In the web.xml file located in the path \autopass\apls\apls\conf the following was configured:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
However, it doesn't work.