nginx return 404 if query param contains special char '<'

Solution 1:

In my tests no matter how I entered the url (encoded or not) it always is encoded in the log file.
Here are two possibilities to accomplish your requirement:

if ($args ~* (param=.*(%3C|%3E).*)) {
   return 404;
}

or

In your location block:

if ($err404) {
   return 404;
}

In the http block (not inside the server block!):

map $args $err404 {
        ~param=.*(%3C|%3E).*            1;
        default                         0;
}