HSTS on Jenkins is currently only supported by the HSTS Filter Plugin, which is no longer maintained and leads to some problems (e.g. you can't uninstall the WMI plugin because it has that defined as a dependency).

As HSTS is still recommended to ensure that no traffic is sent over HTTP (see MDN or OWASP), the server can be added to the HSTS preload list, so there is no rederict from HTTP to HTTPS is anymore necessary.

Basically it would be enough, when Jenkins allows to define custom header via
systemctl edit (which seems not to be possible until now), it would be better to have this integrated into the core.

So my suggestion is:

• Jenkins should provide an option to enable/disable the header and configure the lifetime of the header (disabled by default to avoid problems when setting up Jenkins).

• If HTTPS (or HTTP2) is enabled, Jenkins should show a warning when the option is disabled