Http port and TLS 1.0 are enabled on glassfish. Should add a way to disable them when installing in production mode. Use HTTP Strict-Transport-Security response header this lets a web site tell browsers that it should only be accessed using HTTPS. Glassfish discloses its supported HTTP methods (OPTIONS Disclosure). Set X-Content-Type-Options: nosniff header to all responses.