Log missing static files at debug instead of info#37
Merged
Conversation
RenderStaticContent logged every failed os.Open at INFO level. In practice these are almost entirely vulnerability scanners probing for .env, .git/config, js/sendgrid.js and similar — normal 404s for files the hub doesn't ship. Logging them at INFO buried real operational events and crowded the About-page log viewer (last 20 lines). Downgrade to debug so the noise is still available on demand (flip log_level to debug) without polluting the default INFO stream. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
RenderStaticContentlogged every failedos.Openat INFO (render.go:82). These are almost entirely vulnerability scanners probing for.env,.git/config,js/sendgrid.jsand similar — normal 404s for files the hub doesn't ship.Recent live examples:
Why
At INFO they bury real operational events (websocket connects, payment flow) and crowd out the About-page log viewer, which only shows the last 20 lines (
/admin/api/about/logs). They carry no actionable per-line security signal — every public host gets this background radiation, and the probes find nothing because secrets live in the DB / phoenix config, not under/web-content/public/.Change
Downgrade the missing-file log to
debug. Still available on demand by settinglog_leveltodebug; just out of the default INFO stream.Scope kept surgical — left
suffix not recognised(fires only after a file opens successfully) andtemplate not found(internal template logic) at INFO, since neither is 404 probe noise.Version bumped 0.20.0 → 0.20.1 (PATCH, maintenance).
🤖 Generated with Claude Code