The Apache that is deployed and configured by the provided Chef deployment was always setting the HTTP Strict-Transport-Security response header for HTTP and HTTPS requests. The HTTP Strict-Transport-Security header is not needed for HTTP requests and for HTTPS requests it was set twice, with different values, which leads to undefined behavior. As the CAE always sets the HTTP Strict-Transport-Security header (only) when it's actually required, it has been disabled in the Apache configuration.

(CMS-16146)