Expected Behavior

By default, Spring sends an HSTS (Strict-TransportSecurity) header, though this can be configured. Requests that are rejected by the StrictHttpFirewall (with a RequestRejectedException) should result in a response with a HSTS header like for all other requests, given that the protocol is HTTPS and HSTS is enabled.

Current Behavior

Requests that are rejected by the StrictHttpFirewall currently do not receive a HSTS header while request that are not rejected, have the header in their response.

Context

The Web Application Scanner we use checks our application for presence of HSTS headers on any request it generates towards a live instance of our application. Some of our endpoints have path parameters (such as /api/v1/resource/:id/subresource), for which the scan creates a request (among others) /api/v1/resource//subresource - note the double slash because the ID is left out. Double slashes lead to a rejection of the request by the StrictHttpFirewall. That in turn results in a response without the HSTS header, which makes our scanner complain.

As a workaround, we have added a Bean for a RequestRejectedHandler that adds the header to the response and then terminates it with status 400.