Thanks for the quick response. I did some digging, it appears that:
Phoenix always raise for 404
Cowboy suppresses logging from all exceptions raised within a http handler
Bandit doesn’t suppress logging
I’d like to see the Bandit’s behavior to be configurable. Since 404 is a fact of life on the internet, and some developer may want to see a stack trace for 500s in production, can we have a configuration parameter for the minimal HTTP status code for stack trace logging?
This looks like a loooooooongstanding error in Phoenix that’s been silently canceled out by Cowboy’s silent error handling.
I’m working up the last bits of a PR for Phoenix to correct this, at which point we’ll end up with a better end result:
Phoenix renders NoRouteError errors and doesn’t raise them further
Phoenix renders all other errors and raises them further
Bandit logs loudly on all errors it receives
Cowboy doesn’t log errors it receives
This will end up with Bandit continuing to log all non NoRouteError errors loudly, which is what we want in general. NoRouteErrors will be silenced within Phoenix, which is really the correct place to be expressing this logic.
To be clear, the Phoenix changes above only affect 404’s sourced from a NoRouteError error (that is, a request such as /bogus_route). 404’s sourced from a secondary issue such as an Ecto record not found error (ie: /users/123 where 123 is an invalid user id) are not covered here. The expectation is that in those cases you maintain your own error handling in ErrorHTML or elsewhere (put another way, such errors never ought to have surfaced out of Phoenix anyway).