Tenable / Nessus Plugin 84502: HSTS Missing From HTTPS Server

Tenable’s Description:
The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.

My server has this setting in /etc/gitlab/gitlab.rb :

external_url 'https://<FQDN>/gitlab'

I also set

nginx['hsts_max_age'] = 63072000
nginx['hsts_include_subdomains'] = false

When I go to the web URL


I get a 404, and the HSTS header is not included.

If I go to


I am redirected to


and the HSTS header is included.

Because Nessus does not follow redirects, this test returns a failure.

Any suggestions how to get the HSTS header to show for the server root URL ?