vaadin · vaadin-bot · Feb 10, 2026 · Feb 10, 2026
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java b/flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java
@@ -438,13 +438,23 @@ static boolean isAllowedDevToolsHost(AbstractConfiguration configuration,
                 && !hostsAllowedFromCfg.isBlank()) ? hostsAllowedFromCfg : null;
 
         if (!isAllowedDevToolsHost(remoteAddress, hostsAllowed, true)) {
+            getLogger().debug(
+                    "Dev tools access denied for remote address '{}'. Allowed hosts: [{}]",
+                    remoteAddress, hostsAllowed);
             return false;
         }
         String remoteHeaderIp = configuration.getStringProperty(
                 SERVLET_PARAMETER_DEVMODE_REMOTE_ADDRESS_HEADER, null);
         if (remoteHeaderIp != null) {
-            return isAllowedDevToolsHost(request.getHeader(remoteHeaderIp),
-                    hostsAllowed, false);
+            String headerValue = request.getHeader(remoteHeaderIp);
+            boolean allowed = isAllowedDevToolsHost(headerValue, hostsAllowed,
+                    false);
+            if (!allowed) {
+                getLogger().debug(
+                        "Dev tools access denied for address '{}' from header '{}'. Allowed hosts: [{}]",
+                        headerValue, remoteHeaderIp, hostsAllowed);
+            }
+            return allowed;
         }
 
         Enumeration<String> allForwardedForHeaders = request
@@ -461,18 +471,35 @@ static boolean isAllowedDevToolsHost(AbstractConfiguration configuration,
                 // Validate all hops
                 String[] hops = forwardedFor.split(",");
                 if (hops.length > 0) {
-                    return Stream.of(hops).map(String::trim)
+                    boolean allAllowed = Stream.of(hops).map(String::trim)
                             .allMatch(ip -> isAllowedDevToolsHost(ip,
                                     hostsAllowed, false));
+                    if (!allAllowed) {
+                        getLogger().debug(
+                                "Dev tools access denied. Not all X-Forwarded-For addresses are allowed."
+                                        + " X-Forwarded-For: '{}'. Allowed hosts: [{}]",
+                                forwardedFor, hostsAllowed);
+                    }
+                    return allAllowed;
                 } else {
                     // Potential fake header with no addresses, e.g.
                     // 'X-Forwarded-For: ,,,'
+                    getLogger().debug(
+                            "Dev tools access denied because of empty or invalid X-Forwarded-For header");
                     return false;
                 }
 
             } else {
-                return isAllowedDevToolsHost(forwardedFor.trim(), hostsAllowed,
-                        false);
+                String trimmedForwardedFor = forwardedFor.trim();
+                boolean allowed = isAllowedDevToolsHost(trimmedForwardedFor,
+                        hostsAllowed, false);
+                if (!allowed) {
+                    getLogger().debug(
+                            "Dev tools access denied for X-Forwarded-For address '{}'."
+                                    + " Allowed hosts: [{}]",
+                            trimmedForwardedFor, hostsAllowed);
+                }
+                return allowed;
             }
         }
 

diff --git a/vaadin-dev-server/src/main/java/com/vaadin/base/devserver/DebugWindowConnection.java b/vaadin-dev-server/src/main/java/com/vaadin/base/devserver/DebugWindowConnection.java
@@ -191,12 +191,17 @@ protected DevToolsInterface getDevToolsInterface(
 
     @Override
     public void onConnect(AtmosphereResource resource) {
-        if (DevToolsToken.getToken()
-                .equals(resource.getRequest().getParameter("token"))) {
+        String requestToken = resource.getRequest().getParameter("token");
+        if (DevToolsToken.getToken().equals(requestToken)) {
             handleConnect(resource);
         } else {
-            getLogger().debug(
-                    "Connection denied because of a missing or invalid token. Either the host is not on the 'vaadin.devmode.hosts-allowed' list or it is using an outdated token");
+            if (requestToken == null) {
+                getLogger().debug(
+                        "Connection denied because the host is not on the 'vaadin.devmode.hosts-allowed' list");
+            } else {
+                getLogger().debug(
+                        "Connection denied because of an invalid or outdated security token.");
+            }
             try {
                 resource.close();
             } catch (IOException e) {