controller: Handle UnicodeDecodeError from webob decoding invalid URLs webob will try to utf-8 decode all %-encoded bytes in URL-parameters, but will not handle Unicode erors ... and neither did Kallithea. Visiting a URL like http://localhost:5000/?%AD would thus give an unhandled exception showing "Internal Server Error" to the user, and logging the full traceback and: WebApp Error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xad in position 0: invalid start byte This has been seen a lot recently from attackers probing for a php vulnerability https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ . Now handle these exceptions more nicely and reject with "400 Bad Request".