diff --git a/acceptance-test/src/acceptance-test/java/org/zalando/nakadi/webservice/InvalidRequestAT.java b/acceptance-test/src/acceptance-test/java/org/zalando/nakadi/webservice/InvalidRequestAT.java
new file mode 100644
index 0000000000..d3964a9496
--- /dev/null
+++ b/acceptance-test/src/acceptance-test/java/org/zalando/nakadi/webservice/InvalidRequestAT.java
@@ -0,0 +1,17 @@
+package org.zalando.nakadi.webservice;
+
+import org.apache.http.HttpStatus;
+import org.junit.Test;
+
+import static com.jayway.restassured.RestAssured.given;
+
+public class InvalidRequestAT {
+    @Test(timeout = 10000)
+    public void whenRequestRejectedExceptionThrownThenResponseIs400() {
+        given()
+                .when()
+                .get("//")
+                .then()
+                .statusCode(HttpStatus.SC_BAD_REQUEST);
+    }
+}
diff --git a/app/src/main/java/org/zalando/nakadi/filters/RequestRejectedFilter.java b/app/src/main/java/org/zalando/nakadi/filters/RequestRejectedFilter.java
new file mode 100644
index 0000000000..188fbcca14
--- /dev/null
+++ b/app/src/main/java/org/zalando/nakadi/filters/RequestRejectedFilter.java
@@ -0,0 +1,34 @@
+package org.zalando.nakadi.filters;
+
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.web.firewall.RequestRejectedException;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.GenericFilterBean;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+
+@Component
+@Order(Ordered.HIGHEST_PRECEDENCE)
+public class RequestRejectedFilter extends GenericFilterBean {
+
+    @Override
+    public void doFilter(final ServletRequest req,
+                         final ServletResponse res,
+                         final FilterChain chain)
+            throws IOException, ServletException {
+        try {
+            chain.doFilter(req, res);
+        } catch (RequestRejectedException e) {
+            final HttpServletResponse response = (HttpServletResponse) res;
+
+            response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+        }
+    }
+}