When you run penetration tests for SAS Environment Manager, the test results show different values from what was set for the Strict-Transport-Security header. It shows that the configuration in Lev1/Web/WebServer/conf/sas.conf for Content-Security-Policy (CSP) header cannot be applied. 

The CSP is set by SAS Web Server. However, SAS Environment Manager is not updated by SAS Web Server so the CSP does not get set.