Related issues
None
[REQUIRED] Version info
node: v22.22.2
firebase-functions: v7.2.5
firebase-tools: v15.16.0
firebase-admin: v13.8.0
[REQUIRED] Test case
If a Firebase v2 Callable function receives a GET request (instead of the correct POST), the Firebase Functions framework will log an error before it returns the 400 Bad Request response code
if (!isValidRequest(req)) {
logger.error("Invalid request, unable to process.");
throw new HttpsError("invalid-argument", "Bad Request");
}
https://github.com/firebase/firebase-functions/blob/master/src/common/providers/https.ts#L789
[REQUIRED] Steps to reproduce
For any deployed Firebase function, if you get the URL of the function and trigger a GET request against it (eg due to misconfigured heartbeats, or even just a broken web crawler), you will then find an ERROR severity line in your Google Cloud Log Explorer, and an Open Error raised in your Google Cloud Error Reporting
[REQUIRED] Expected behavior
For some use cases, the default of an ERROR severity to warn of a misconfiguration in your calling code is probably fine
However, for unauthenticated Firebase Functions which could be called by anyone (including web crawlers, AI bots, broken health checks etc), finding an ERROR severity log and a new Error Report every time someone somewhere on the internet tries to GET your function makes finding "real" issues hard amidst the noise.
Therefore, it would be better if the logging level for these invalid requests could be configured, so as the deployer of the function I can pick what severity level these invalid calls are recorded at.
[REQUIRED] Actual behavior
My Google Cloud logs contain "not actually a real error but recorded as an error" lines such as:
2026-05-05 17:08:01.238
Error: Invalid request, unable to process.
at entryFromArgs (/workspace/node_modules/firebase-functions/lib/logger/index.js:144:19)
at Object.error (/workspace/node_modules/firebase-functions/lib/logger/index.js:131:11)
at /workspace/node_modules/firebase-functions/lib/common/providers/https.js:432:24
at /workspace/node_modules/firebase-functions/lib/common/providers/https.js:393:25
at cors (/workspace/node_modules/cors/lib/index.js:188:7)
at /workspace/node_modules/cors/lib/index.js:224:17
at originCallback (/workspace/node_modules/cors/lib/index.js:214:15)
at /workspace/node_modules/cors/lib/index.js:219:13
at optionsCallback (/workspace/node_modules/cors/lib/index.js:199:9)
at corsMiddleware (/workspace/node_modules/cors/lib/index.js:204:7)
Were you able to successfully deploy your functions?
This only occurs when the Firebase HTTPS Callable Function is deployed and running successfully, and it receives a GET (or similar) non-POST request
Related issues
None
[REQUIRED] Version info
node: v22.22.2
firebase-functions: v7.2.5
firebase-tools: v15.16.0
firebase-admin: v13.8.0
[REQUIRED] Test case
If a Firebase v2 Callable function receives a
GETrequest (instead of the correctPOST), the Firebase Functions framework will log an error before it returns the 400 Bad Request response codehttps://github.com/firebase/firebase-functions/blob/master/src/common/providers/https.ts#L789
[REQUIRED] Steps to reproduce
For any deployed Firebase function, if you get the URL of the function and trigger a
GETrequest against it (eg due to misconfigured heartbeats, or even just a broken web crawler), you will then find anERRORseverity line in your Google Cloud Log Explorer, and an Open Error raised in your Google Cloud Error Reporting[REQUIRED] Expected behavior
For some use cases, the default of an
ERRORseverity to warn of a misconfiguration in your calling code is probably fineHowever, for unauthenticated Firebase Functions which could be called by anyone (including web crawlers, AI bots, broken health checks etc), finding an
ERRORseverity log and a new Error Report every time someone somewhere on the internet tries toGETyour function makes finding "real" issues hard amidst the noise.Therefore, it would be better if the logging level for these invalid requests could be configured, so as the deployer of the function I can pick what severity level these invalid calls are recorded at.
[REQUIRED] Actual behavior
My Google Cloud logs contain "not actually a real error but recorded as an error" lines such as:
Were you able to successfully deploy your functions?
This only occurs when the Firebase HTTPS Callable Function is deployed and running successfully, and it receives a
GET(or similar) non-POST request