Weird http request found in the Node.js Express log file

Posted on

Weird http request found in the Node.js Express log file

my first public Node.js based web site (with Express) went to public couple weeks ago. I routinely checked the server log and sometimes there are some weird records.
Here are some examples:

- - - [Sat, 19 Oct 2013 08:44:38 GMT] "GET HTTP/1.0" 200 3539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" - - [Sat, 19 Oct 2013 19:54:57 GMT] "GET HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)" - - [Sun, 20 Oct 2013 06:04:23 GMT] "GET HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"

Those are generated by the express.logger (logger: in the default format:

default ':remote-addr - - [:date] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"'

Only express.urlencoded() is used and express.cookieParser and express.session are not enable in my project.

Here are my questions:

  1. Why remote-addr are missing in the log? Would it be extreme difficult to get this info on node.js + express?
  2. It seems like someone tried to use my website as a proxy. How did he/she send a http request like GET And how should I block these kind of requests?
  3. Based on those records in the server log, is my web server security enough? Should I use helmet ( or CSRF ( in my project?

Many thanks.

Solution :

Your server is sending back 200 responses for those requests, so they seem to be handled by some route in your app (perhaps a catch-all route; it’s always returning 3539 bytes so it seems to be the same handler). Without knowing why your server is accepting those requests, it’s difficult to say if it’s secure or not.

You can easily use curl to generate requests like that:


As for the remote address being empty: sorry, don’t know 🙁 (perhaps IPv6? nope, requests passed over IPv6 seem to get logged just fine)

Leave a Reply

Your email address will not be published. Required fields are marked *