Skip to content

No HTTP timeouts on server - vulnerable to slowloris #19

Description

@dcmcand

Summary

The server uses bare http.ListenAndServe with no read, write, or idle timeouts configured. This makes it vulnerable to slowloris attacks where an attacker opens many connections and sends headers slowly to exhaust the server's goroutine pool.

Location

  • backend/cmd/server/main.go (lines 56-58)

Suggested fix

Replace http.ListenAndServe with an http.Server struct that sets ReadHeaderTimeout (e.g., 10s), ReadTimeout, and IdleTimeout.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability or hardening

    Type

    No type

    Fields

    Priority

    None yet

    Start date

    None yet

    Target date

    None yet

    Size

    None yet

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions