Add additional logging of potential malicious attacks

[henriknoren]

Hi.

I recently experienced what seems like an attempt to exploit known vulnerabilities to extract sensitive information. This was on a company internal network. The reason I noticed was the error messages below from nicegui. Thousands of calls where made within seconds.

In my scenario I would like to investigate this further, so some additional information in the logs would be useful. Would it make sense to add for example the IP address from the client making the call?

[WARNING] nicegui: https://xxx.yyy/guestbook.cgi not found
[WARNING] nicegui: https://xxx.yyy/webplus.exe?script=/../../../../etc/passwd not found
[WARNING] nicegui: https://xxx.yyy/config.php not found
[WARNING] nicegui: https://xxx.yyy/modules.php?set_albumName=album01&id=aaw&op=modload&name=gallery&file=index&include=../../../../../../../../boot.ini not found
[WARNING] nicegui: https://xxx.yyy/guestbook.pl not found

[falkoschindler]

Thanks for the suggestion, @henriknoren! Including the client IP in our 404 log messages sounds like a reasonable improvement. We'll look into adding it.

In the meantime, here's a workaround. You can silence NiceGUI's default 404 warning and replace it with your own middleware that includes the IP:

import logging

class No404Filter(logging.Filter):
    def filter(self, record):
        return 'not found' not in record.getMessage()

logging.getLogger('nicegui').addFilter(No404Filter())

@app.middleware('http')
async def log_404(request, call_next):
    response = await call_next(request)
    if response.status_code == 404:
        logging.warning(f'{request.client.host} - {request.url} not found')
    return response

That said, for comprehensive security logging and rate limiting on a company network, a reverse proxy (nginx, Caddy, etc.) in front of NiceGUI would give you much more control.

[falkoschindler]

On second thought, we should be careful here. Under GDPR (and similar regulations), IP addresses are considered personal data. If NiceGUI starts including them in log messages by default, that could have unintended legal consequences for users — especially if logs are stored, shipped to monitoring services, or retained without proper consent.

So we'd rather not change the default logging. The middleware workaround above lets you consciously opt in to logging IPs, which puts the decision where it belongs: with the application developer who knows their compliance requirements.

[evnchn]

Agreed. Also we have multiple places where we return 404, and it's non-trivial to cover them all.

[henriknoren]

Thanks for the analysis guys, and I fully agree. Also thanks for the possible workaround.