We have loadbalanced AWI servers. Our Vulnerabilty Scanning Group scanned the AWI servers directly on port 8080 and marked these as vulnerabilities:
HTTP Cookie missing Secure attribute on JSESSIONID
X-Content-Type-Options HTTP Header missing
Are there any configuration settings in the configuration.properties where headers can be set and parameters for JSESSIONID?