Could you explain why these headers would be required for automatically generated redirects from Load balancers returning alternate status codes? Our findings are appearing only on port 80 for systems generating return Status Codes in the 300 Redirect range. Example 302s. In this case, the header is not protecting anything with the retransmission that isn't being covered already by 443 listening application. These appear to be a false positive. If so, could Qualys update the scan to take redirect status codes into consideration before declaring the finding.