https://bz.apache.org/bugzilla/show_bug.cgi?id=65996
Bug ID: 65996 Summary: HSTS header with Tomcat 9 for 400 Errors Product: Tomcat 9 Version: 9.0.30 Hardware: PC Status: NEW Severity: blocker Priority: P2 Component: Examples Assignee: dev@tomcat.apache.org Reporter: hblel....@gmail.com Target Milestone: ----- Created attachment 38241 --> https://bz.apache.org/bugzilla/attachment.cgi?id=38241&action=edit Notice the missing HSTS headers on both examples Using a Tomcat v9.0.30, I was able to successfully configure HSTS headers for all responses (when served over HTTPS) for my Spring-based app using the built-in Tomcat filter HttpHeaderSecurityFilter https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html However, I have noticed that the headers were not added for a particular response with a 400 HttpStatus. Below are some screenshots: The issue seems to be specific to 400 Errors and particularly when non-compliant chars to rfc 7230 and rfc 3986 are used: "[" I know that these chars are now rejected by default by Tomcat v9.x.x for security reasons and that it can be allowed using the relaxedPathChars and relaxedQueryChars properties, but what about the 400 error response ? Why is the HSTS header not added in that case and is there a workaround (Add the headers for the 400 response) ? Is this a bug on Tomcat, if the HttpHeaderSecurityFilter is supposed to be applied for all responses ? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org