Setting Response Headers for HTTPS-Enabled App Servers
App servers that use HTTPS do not set strict-transport-security in the response header by default. MarkLogic Server has options to control HSTS (HTTP Strict-Transport-Security) headers.
Note
These options are only effective when the app server is configured with HTTPS.
The max age value can be set for the HSTS response headers. If the max age value for the HSTS is set to 0 (over an HTTPS connection) it immediately expires the Strict-Transport-Security header, allowing access via HTTP. The typical value used for HSTS is one year, expressed as 31536000.
These options can be set in three different ways.