Usage of vulnerable 'serve' function

  • Rule ID: go_gosec_http_http_serve
  • Languages: go
  • Source: http_serve.yml


The default serve functions in Go's net/http package are susceptible to resource consumption attacks. This vulnerability arises when attackers flood the server with incomplete or persistent connections, depleting its resources and blocking new legitimate connections.


  • Do not use default serve functions like http.ListenAndServe and http.Serve in production environments. You cannot set timeouts for these functions, making the server vulnerable to attacks.
    http.ListenAndServe(":8080", nil) // unsafe
  • Do create a custom http.Server object with configured timeouts to safeguard against resource exhaustion. Set ReadHeaderTimeout, ReadTimeout, WriteTimeout, and IdleTimeout to appropriate values.
    myServer := &http.Server{
    Addr: "localhost:8000",
    ReadHeaderTimeout: 15 * time.Second,
    ReadTimeout: 15 * time.Second,
    WriteTimeout: 10 * time.Second,
    IdleTimeout: 30 * time.Second,
  • Do enforce timeouts on individual requests using http.TimeoutHandler. This wrapper ensures that the server does not indefinitely wait for a request to finish, preventing potential denial of service.


Associated CWE


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_http_http_serve

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_http_http_serve