Skip to content

Raise log level from DEBUG to WARN for firewall-rejected requests in HttpStatusExchangeRejectedHandler #17471

Closed
@seungh0

Description

@seungh0

Expected Behavior

It seems that logging request rejections from ServerWebExchangeFirewall at the WARN level would improve visibility in production environments, where debug logging is typically disabled.

Current Behavior

Currently, request rejections by ServerWebExchangeFirewall are logged at the DEBUG level. (HttpStatusExchangeRejectedHandler)
As debug logging is commonly turned off in production, these rejections can easily go unnoticed.

Context

This behavior affects our ability to monitor and detect unexpected request rejections in production environments.
To improve observability, we’d like these events to be logged more prominently — especially during version upgrades, where behavioral changes (such as those introduced with StrictServerWebExchangeFirewall in Spring Security 6.4.0) may occur silently.

Would you be open to considering this change?
Thank you for your time and consideration!

(It would be great if you could also take a look at the related PR: #17472)

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)status: duplicateA duplicate of another issuetype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions