HSTS header with Tomcat 9 for 400 Errors

Question

Using a Tomcat v9.0.30, I was able to successfully configure HSTS headers for all responses (when served over HTTPS) for my Spring-based app using the built-in Tomcat filter HttpHeaderSecurityFilter https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html

However, I have noticed that the headers were not added for a particular response with a 400 HttpStatus. Below are some screenshots:

The issue seems to be specific to 400 Errors and particularly when non-compliant chars to rfc 7230 and rfc 3986 are used: "["

I know that these chars are now rejected by default by Tomcat v9.x.x for security reasons and that it can be allowed using the relaxedPathChars and relaxedQueryChars properties, but what about the 400 error response ?

Why is the HSTS header not added in that case and is there a workaround (Add the headers for the 400 response) ? Should it be reported as a bug on Tomcat, if the HttpHeaderSecurityFilter is supposed to be applied for all responses ?

Answer 1

Adding relaxedPathChars='[]' to the Connector element in server.xml fixed this for me on Tomcat 9.0.65.

I ended up using the following configuration to allow even more characters (to satisfy a security scan): server.xml -> Connector ->

relaxedPathChars='[]|' relaxedQueryChars='[]|{}^\`"<>'

and setting the following start option (to allow [encoded] backslashes without the HSTS header breaking):

-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true