refactor: improve honeypot request tracking and documentation

helm/values.yaml

@@ -576,6 +576,7 @@ wordlists:
     xxe_injection: "(<!ENTITY|<!DOCTYPE|SYSTEM\\s+[\"']|PUBLIC\\s+[\"']|&\\w+;|file://|php://filter|expect://)"
     ldap_injection: "(\\*\\)|\\(\\||\\(&)"
     command_injection: "(cmd=|exec=|command=|execute=|system=|ping=|host=|&&|\\|\\||;|\\$\\{|\\$\\(|`|\\bid\\b|\\bwhoami\\b|\\buname\\b|\\bcat\\b|\\bls\\b|\\bpwd\\b|\\becho\\b|\\bwget\\b|\\bcurl\\b|\\bnc\\b|\\bnetcat\\b|\\bbash\\b|\\bsh\\b|\\bps\\b|\\bkill\\b|\\bchmod\\b|\\bchown\\b|\\bcp\\b|\\bmv\\b|\\brm\\b|/bin/bash|/bin/sh|cmd\\.exe|/bin/|/usr/bin/|/sbin/)"
+    common_probes: "(/admin|/backup|/config|/database|/private|/uploads|/wp-admin|/login|/phpMyAdmin|/phpmyadmin|/users|/search|/contact|/info|/input|/feedback|/server|/api/v1/|/api/v2/|/api/search|/api/sql|/api/database|\\.env|/credentials\\.txt|/passwords\\.txt|\\.git|/backup\\.sql|/db_backup\\.sql)"
   suspicious_patterns:
     - bot
     - crawler

src/routes/honeypot.py

@@ -43,11 +43,11 @@ from logger import get_app_logger, get_access_logger, get_credential_logger
 
 
 # --- Auto-tracking dependency ---
-# Only records requests where an attack pattern is detected in the path or body.
+# Records requests that match attack patterns or honeypot trap paths.
 
 
 async def _track_honeypot_request(request: Request):
-    """Record access only for requests with detected attack patterns."""
+    """Record access for requests with attack patterns or honeypot path hits."""
     tracker = request.app.state.tracker
     client_ip = get_client_ip(request)
     user_agent = request.headers.get("User-Agent", "")
@@ -58,7 +58,7 @@ async def _track_honeypot_request(request: Request):
         body_bytes = await request.body()
         body = body_bytes.decode("utf-8", errors="replace")
 
-    # Only record if an attack pattern is detected in the path or body
+    # Check attack patterns in path and body
     attack_findings = tracker.detect_attack_type(path)
 
     if body:
@@ -66,7 +66,8 @@ async def _track_honeypot_request(request: Request):
         decoded_body = urllib.parse.unquote(body)
         attack_findings.extend(tracker.detect_attack_type(decoded_body))
 
-    if attack_findings:
+    # Record if attack pattern detected OR path is a honeypot trap
+    if attack_findings or tracker.is_honeypot_path(path):
         tracker.record_access(
             ip=client_ip,
             path=path,
@@ -398,15 +399,16 @@ async def trap_page(request: Request, path: str):
             f"[SUSPICIOUS] {client_ip} - {user_agent[:50]} - {full_path}"
         )
 
-    # Always record trap page access (feeds total counter + suspicious panel).
+    # Record access unless the router dependency already handled it
-    # Only store raw_request for suspicious/attack requests to avoid DB bloat.
+    # (attack pattern or honeypot path → already recorded by _track_honeypot_request)
-    tracker.record_access(
+    if not tracker.detect_attack_type(full_path) and not tracker.is_honeypot_path(full_path):
-        ip=client_ip,
+        tracker.record_access(
-        path=full_path,
+            ip=client_ip,
-        user_agent=user_agent,
+            path=full_path,
-        method=request.method,
+            user_agent=user_agent,
-        raw_request=build_raw_request(request) if is_suspicious else "",
+            method=request.method,
-    )
+            raw_request=build_raw_request(request) if is_suspicious else "",
+        )
 
     # Random error response
     if _should_return_error(config):