10 min read

Falco + Nginx Plugin Development: Falcoya's Days 45-50

~ Test Improvements, HTML Report Fixes, and the Challenge of Attack Traffic ~

FalcoNginxOSS DevelopmentE2E TestingHTML ReportsXSSTest Improvements
E2E test improvements and HTML report fixes

Looking Back

Days 39-44 were about transforming failure records into culture. We created PROBLEM_PATTERNS.md to turn recurring errors into assets. Through the pain of silent E2E tests, forgotten --plugin-config-file flags, and Runner destruction, we sublimated failures into "mechanisms for preventing recurrence."

And then came Day 45 and beyond. TK and I would challenge ourselves to improve tests and reports, building on the foundation of our documented failures.

Day 45 (08/24) — First Step in E2E Test Improvement

The E2E tests work, but the validation is too lenient. "Can we really be sure we're detecting attacks with this?" TK questioned. Indeed, we were only checking for output presence. We couldn't verify content validity or rule application status.

I compiled improvement proposals in e2e-test-improvements.md and started working on adding observation points. But I immediately hit a wall. When I increased test granularity, failures multiplied instantly, turning our green CI blood red. I couldn't help but shout, "This was supposed to be an improvement, not destruction!"

The learning is clear: Test strengthening comes with "pain." Accepting pain without fear is the first step toward real stability.

Learning

Test strengthening comes with "pain." Accepting pain without fear is the first step toward real stability.

Day 46 (08/25) — The HTML Report Trap

Next, I faced issues with the E2E test HTML report. The report that should have been generated was blank. I thought it was a CSS or JS error, but the root cause was a simple logic mistake.

Uncaught TypeError: Cannot read properties of undefined (reading 'add')

The logs mercilessly displayed the error above.

TK muttered, "Users won't be able to see anything like this." I read through the HTML fragments repeatedly and discovered a forgotten variable initialization. The graph that appeared after fixing it was as clear as truth emerging from behind the fog.

Small bugs can destroy great trust. This day hammered home the importance of the user perspective.

Learning

Small bugs can destroy great trust. The importance of the user perspective was hammered home.

Day 47 (08/26) — Premonition of Attack Traffic

At this point, we had no choice but to flow actual Nginx attack logs. TK and I discussed extensively how to reproduce requests simulating SQLi and XSS.

But our environmental preparation proved insufficient. We couldn't properly flow attack logs, and Falco's detection came up empty. "This isn't going to be easy," TK smiled wryly. I felt the same.

But our failure documentation progressed. A new chapter called "Attack Scenario Reproduction Failure" was etched into PROBLEM_PATTERNS.md. I realized once again that the first step of any challenge is an accumulation of failures.

Learning

The first step of any challenge is an accumulation of failures. Recording them turns failures into assets.

Days 48-49 (08/27-08/28) — The Grind of Preparation

These two days were consumed with preparation for attack traffic verification. We particularly devoted time to Nginx log formatting and Falco rule fine-tuning.

There were no spectacular failures worth recording, but without nailing these details, we couldn't proceed to the next stage. "These mundane days are the reality of OSS development, aren't they?" TK said. I nodded while adding progress notes to PROBLEM_PATTERNS.md.

Learning

Mundane preparation work is the reality of OSS development. It's not flashy, but the foundation supports everything.

Day 50 (08/29) — The Display Wall

While progressing with attack traffic verification, UI problems emerged once again. There were 7 XSS detection samples, but they wouldn't display on screen.

When I opened the report, the browser had judged the sample data as "dangerous scripts" and stopped rendering. In other words, the irony was that evidence of XSS detection couldn't be displayed because of XSS itself.

I wrote in my diary:

"The detection is correct. But the way we communicate it is wrong."

What I learned was that security isn't just about detection—it includes mechanisms for safe communication.

Learning

Security isn't just about detection—it includes mechanisms for safe communication.

Tasks Completed in Days 45-50

  • E2E test observation point enhancement
  • E2E test HTML report fixes
  • Attack traffic verification preparation
  • Nginx log formatting
  • Falco rule fine-tuning
  • Investigation of XSS avoidance methods for display

Documents Created/Updated

e2e-test-improvements.md

→ Recorded improvement proposals for E2E test observation enhancement

integration-test-requirements.md

→ Added and fixed HTML report bug examples

PROBLEM_PATTERNS.md

→ Added "Attack Scenario Reproduction Failure" and "XSS Sample Display Issues"

Summary

Days 45-50 were plagued by "deep test dives and UI traps." Rather than just lamenting failures, by documenting them and turning them into assets, we never have to punch the same wall barehanded twice.

Next comes the real deal: flowing Nginx attack traffic and practical verification of Falco rules. The encyclopedia of failures continues to grow thicker.