On Azure, I created a new API Management Service and behind it I connected all the APIs.
After a penetration test, there was only one vulnerability detected from the security company that is No HSTS Header observed.
The HTTP Strict Transport Security (HSTS) policy defines a time-frame where a browser must connect to the web server via HTTPS. Without a Strict Transport Security policy the web application may be connect to the application using unencrypted HTTP. The application does not specify any HSTS configuration.
If the web application mixes usage of HTTP and HTTPS, an attacker can manipulate pages in the unsecured area of the application or change redirection targets in a manner that the switch to the secured page is not performed or done in a manner, that the attacker remains between client and server.
If there is no HTTP server, an attacker in the same network could simulate a HTTP server and motivate the user to click on a prepared URL by a social engineering attack.
So, my question is: how can I apply this policy across my APIs?