Summary
The server uses bare http.ListenAndServe with no read, write, or idle timeouts configured. This makes it vulnerable to slowloris attacks where an attacker opens many connections and sends headers slowly to exhaust the server's goroutine pool.
Location
backend/cmd/server/main.go (lines 56-58)
Suggested fix
Replace http.ListenAndServe with an http.Server struct that sets ReadHeaderTimeout (e.g., 10s), ReadTimeout, and IdleTimeout.
Summary
The server uses bare
http.ListenAndServewith no read, write, or idle timeouts configured. This makes it vulnerable to slowloris attacks where an attacker opens many connections and sends headers slowly to exhaust the server's goroutine pool.Location
backend/cmd/server/main.go(lines 56-58)Suggested fix
Replace
http.ListenAndServewith anhttp.Serverstruct that setsReadHeaderTimeout(e.g., 10s),ReadTimeout, andIdleTimeout.