my first public website, Node.js (with Express), went public a couple of weeks ago. I regularly checked the server log, and sometimes there are some weird entries. Here are some examples:
- - - [Sat, 19 Oct 2013 08:44:38 GMT] "GET http://www.google.com/ HTTP/1.0" 200 3539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
222.205.7.245 - - [Sat, 19 Oct 2013 19:54:57 GMT] "GET http://www.wikipedia.org/ HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
223.94.178.192 - - [Sun, 20 Oct 2013 06:04:23 GMT] "GET http://www.sciencedirect.com/ HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
They are generated express.logger(logger: http://www.senchalabs.org/connect/logger.html ) in the default format:
default ':remote-addr - - [:date] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"'
Used only express.urlencoded(), express.cookieParserand express.sessionnot included in my project.
Here are my questions:
- Why is it
remote-addrmissing from the magazine? Would it be extremely difficult to get this information on Node.js + express? - It seems someone was trying to use my site as a proxy. How did he send an http request, for example
GET http://www.google.com? And how do I block such requests? - , -? (github.com/evilpacket/helmet) CSRF (www.senchalabs.org/connect/csrf.html) ?
.