I have a web application that is being served through an nginx server and this question comes after a penetration test that raised the flag on this matter.
In the nginx configuration I have the "strict transport security" header for all requests and all requests normally done come with a response that contains the "strict transport security" header.
But if I add the query param to the request a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c my springboot api gives an error:
"Error parsing HTTP request header ... Invalid character found in the request target"
and returns a 400 bad request.
I know that spring normally adds some default response headers even if the request didn't specified them but in this case none of the them are being added.
So my questions are:
Why isn't springboot adding the default headers? This seems to be the expected behavior but I fail to understand why can't these headers be added even though the request query params cannot be parsed.
Does this actually poses a threat to the web application? My basic security knowledge and some research I have done lead me to believe that yes, since if the request response doesn't contain the HSTS header the client could somehow be tricked to send requests using HTTP and leave the token exposed.
Can someone enlighten me a bit on the matter and tell me (or at least point me in the right direction) how I should address the issue in the springboot api side?
Thank you