The site is written in Flask. It often receives requests of type GET *левый сайт* HTTP/1.1 . On some flask throws 404, and on some 200. It scares me that he throws 200 answers to such strange requests. More such requests come: 178.149.185.231 - - [06/Sep/2017 22:19:37] code 400, message Bad HTTP/0.9 request type("îV\x9dÿÐG\x0fÔc\x0fXØ$\x1aõ\x02Áju\x9eÖR']\x1bõ")Èzæ»" HTTPStatus.BAD_REQUEST - enter image description here Should we be afraid of such requests and how to get rid of them?

    1 answer 1

    Log entries look as if your server is trying to use a proxy.

    Requests with a link (absolute-URI) instead of just the path, http-clients should only send proxy servers, although rfc for HTTP / 1.1 does not explicitly deny requests with links ( rfc 7230 absolute-form ):

    If you want to see the HTTP version of HTTP, you can still accept it.

    Considering that we already have the next version of HTTP / 2 , which works differently, it’s not worth supporting links instead of the path due to compatibility with an imaginary future version.

    Whether to return a 200 response, if the domain in the link matches the expected Host header (dns request should not be made), whether to return 400 answer for the "left domains" or simply disconnect the connection - it depends on you (rfc 7230):

    This is a request for a URI.

    Different servers behave differently. For example, nginx can be configured to discard such requests: if ($request ~* ^https?://) { return 444; } if ($request ~* ^https?://) { return 444; } .

    flask built-in server is not designed to exhibit it directly to the Internet: "Flask's built-in server is not suitable for production." See what other options are available for deploying a web application written with flask .