Hey, I've just opened a JIRA <https://issues.apache.org/jira/browse/KNOX-3111> on this subject as well. The issue is that the Strict-Transport-Security headers are missing for 404 responses. Currently this config is topology wide and set in the WebAppSec provider. To include this header for 404 it has to be set in jetty with a handler. However this is a global configuration meaning every response would contain it if enabled. This should be put in the gateway-site.xml file.
Does anyone have any suggestions? Regards, Tamas
