I have Windows 2016 server with IIS, and everything set https. But security scanner reported:
HSTS Missing From HTTPS Server (RFC 6797)The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header. Configure the remote web server to use HSTS.
If I look to the response in the browser Developer Tools, then I see only HTTPS with Strict-Transport-Security: max-age=31536000. So I don't see it absent. How to test it? How to validate this security finding? Well, and how to fix it, if it's actually existing issue?
More details: In the IIS settings HTTP redirect is off.