Some more data:

• One of the 403s
  ```
  { "requestId": "178o2R0HQsmzOHzUo3UVLg", "timestamp": "2026-04-22T23:25:15.345563594Z", "method": "POST", "path": "/", "host": "******REMOVED", "httpStatus": 403, "upstreamProto": "", "downstreamProto": "HTTP/1.1", "responseDetails": "Blocked by Railway WAF", "totalDuration": 85, "upstreamAddress": "", "clientUa": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36", "upstreamRqDuration": 84, "txBytes": 9, "rxBytes": 13284, "srcIp": "67.205.179.26", "edgeRegion": "us-east4-eqdc4a", "upstreamErrors": "[{\"deploymentInstanceID\":\"6cfb1316-46e1-4d63-9de1-15838b98857b\",\"error\":\"Blocked by Railway WAF\",\"duration\":84}]" }
  ```

• One of these 502s
  ```
  { "requestId": "aH8lbHmxSAadzemIGbGh5g", "timestamp": "2026-04-22T23:02:10.009281353Z", "method": "POST", "path": "/", "host": "******REMOVED", "httpStatus": 502, "upstreamProto": "", "downstreamProto": "HTTP/1.1", "responseDetails": "", "totalDuration": 900001, "upstreamAddress": "", "clientUa": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36", "upstreamRqDuration": 900000, "txBytes": 109, "rxBytes": 6904, "srcIp": "34.28.203.153", "edgeRegion": "us-east4-eqdc4a", "upstreamErrors": "[{\"deploymentInstanceID\":\"31d36505-4dfc-4e3a-9ebe-3b2d00940795\",\"error\":\"upstream headers response timeout\",\"duration\":900000}]" }
  ```

So, I guess I'm under some sort of attack? The IP that the requests are coming from seems to be listed in Abuse databases.
Not really sure what to do -- I assume this attack is exhausting my web app workers, which is causing the timeouts?

bots are probably sending some junk requests and your django app is just stalling while handling the data.

403s show that the Railway WAF is stopping some requests from passing to your app, but some of them are probably passing the filters and hitting your application with some data that is freezing your application until the timeout ends (which is exactly 15mins)

do you have any detailed application logs that show what is being sent/what the server is logging when these requests are coming in? that would make it easier to debug what you should change on your app.

Yeah, seems like the WAF is working for the most part, which is good.

That's the thing -- nothing's showing up in the logs. Admittedly, my logging situation isn't too great -- I'm using honeybadger, but I should probably switch to sentry (and, to be honest, my logging might be a bit misconfigured). I'll add some more direct logging at the middleware level.

I'm thinking of using an IP blocklist at the middleware level as a first line of defence. I'll also tighten up the allowed request methods on some of these paths. Eventually I'll do some dynamic IP blocking.

What you’re seeing

• 403 requests → just bots hitting your site incorrectly (normal, harmless)

• 502 requests (15 min) → this is the real problem

What 502 means

A 502 error means:

Your server didn’t respond at all, so the platform (like Railway or a proxy) gave up waiting.

Why it takes 15 minutes

• A request reaches your Django app

• Something gets stuck or frozen (not crashing)

• It never finishes

• After a long time → timeout → 502

Most likely reason

• Your app is blocking (waiting on something)

  • database

  • external API

  • slow code

• Or you have too few workers, so one stuck request blocks others

Key takeaway

• 403 = normal bot spam

• 502 = your app is hanging (not responding)

What to do

• Add more workers (if using Gunicorn)

• Check for slow DB or API calls

• Log request start/end to find what gets stuck