Imho Mendix should fix these. They should filter these URL's already on all incoming traffic. All the logs of all the Mendix applications are crawling with these exact same URL's so they should have a pretty good picture on which URL's they should block.

Regards,

Ronald

At the moment these 404 logging events are really only helpful for diagnosing actual missing files. From the security standpoint these messages are non-usable as they don't included client ip, http referrer, etc. It would be nice to have some options to tune this via Runtime Customization parameters or with an environment variable usable within the docker mendix buildpack.

In my opinion, an on/off toggle for 404's should exist but additional information should be provided in the 404 message. Also, you should be able to negate 404's should a particular header be passed (helpful for negating messages when your own scheduled vulnerability scans are ran).

At the very least, a 404 shouldn't be classified the same as a 5xx error from an HTTP perspective, since a 404 like many other 4xx codes indicate that the request is not valid, unauthorized, incomplete, etc.

Right now, these 404 logs are noted as ERROR, which is generally reserved in the Mendix Docs for a problem that requires immediate attention. In my opinion, a WARNING classification is more fitting here, since it *might* indicate a problem, but does not impact whether the application is working correctly. https://docs.mendix.com/refguide/log-levels/#level

The log level change is trivial and should be fixed ASAP if this is generally agreed upon, but I would also expect a blacklisting option in the future.

Personally I *do* want to see in my logs when someone is scanning my application. 

What I would appreciate as a feature is if Mendix provided an option to directly blacklist TCP connections from addresses listed on a few reliable IP blocklists. That should cut out most of the log noise caused by botnets.