Current versions of NXRM 3 using a Jetty Server version of 9.3.7 or newer are capable of support for HTTP Strict Transport Security (HSTS) for inbound connections. https://tools.ietf.org/html/rfc6797
Enabling HSTS has been requested by a few users of NXRM and when enabled helps get an A+ rating on ssllabs.com.
Jetty Server change adding this feature:
Adjust our shipped jetty-https.xml to enable HSTS by default.
All that is needed is to adjust the SecureRequestCustomizer creation from this:
For justification of 90 day max age default, see https://letsencrypt.org/2015/11/09/why-90-days.html .
For justification of NOT including sub-domains under HSTS by default, we believe it is a lesser risk of indirectly impacting other applications hosted at different sub-domains in the same organization.