Excessive 404 Middleware

class smarter.lib.django.middleware.excessive_404.SmarterBlockExcessive404Middleware(get_response)[source]

Bases: SmarterMiddlewareMixin

Middleware to block unauthenticated clients that trigger excessive 404 responses. This is a countermeasure against abusive or automated ‘bot’ clients probing for non-existent resources.

This middleware monitors incoming HTTP requests and tracks the number of 404 (Not Found) responses generated by each client IP address. If a client exceeds a configurable threshold of 404 responses within a specified time window, further requests from that client will be blocked with a 403 Forbidden response for the remainder of the timeout period.

The middleware is designed to help mitigate abusive or automated clients that probe for non-existent resources, which can be indicative of malicious activity or misconfigured bots.

Variables:

  • THROTTLE_LIMIT (int) – The maximum number of allowed 404 responses from a single client IP within the timeout period before blocking is triggered. Default is 25.

  • THROTTLE_TIMEOUT (int) – The duration of the timeout window in seconds during which 404 responses are counted and blocking is enforced. Default is 600 seconds (10 minutes).

Note

  • Authenticated users are exempt from this blocking mechanism.

  • The client IP is determined using the get_client_ip() method.

  • The 404 count and blocking state are stored in the Django cache backend.

  • Logging is performed using a waffle switch to control verbosity.

Example

To enable this middleware, add it to your Django project’s middleware settings:

MIDDLEWARE = [
    ...
    'smarter.lib.django.middleware.excessive_404.SmarterBlockExcessive404Middleware',
    ...
]
THROTTLE_LIMIT = 25

The maximum number of allowed 404 responses from a single unauthenticated client IP within the timeout period before blocking is triggered.

THROTTLE_TIMEOUT = 600

The duration of the timeout window in seconds during which 404 responses are counted and blocking is enforced.

property formatted_class_name: str

Return the formatted class name for logging purposes.

process_response(request, response)[source]

Process the HTTP response and apply excessive 404 blocking logic.

Parameters:

  • request (WSGIRequest) – The incoming HTTP request object.

  • response (django.http.HttpResponse) – The outgoing HTTP response object.

Returns:

The original response, or a 403 Forbidden response if the client has exceeded the allowed number of 404 responses.

Return type:

django.http.HttpResponse