Missing protection against 'Slowloris' attack

• Rule ID: go_gosec_http_http_slowloris
• Languages: go
• Source: http_slowloris.yml

Description

Your server configuration is missing the ReadHeaderTimeout setting, making it vulnerable to a type of Distributed Denial of Service (DDoS) attack known as a Slowloris attack. In such an attack, a hacker initiates many connections to your server, sending incomplete requests. Your server then keeps each connection open, waiting for the headers to be completed. This can lead to resource exhaustion, where your server cannot handle additional (legitimate) requests.

Remediations

• Do not use default serve functions like http.ListenAndServe and http.Serve in production environments. You cannot set timeouts for these functions, making the server vulnerable to attacks.

  http.ListenAndServe(":8080", nil) // unsafe

• Do create a custom http.Server object with configured timeouts to safeguard against resource exhaustion. For Slowloris attacks in particular, set ReadHeaderTimeout to an appropriate value to ensure that connections do not remain open indefinitely.

  myServer := &http.Server{
      Addr:             "localhost:8000",
      ReadHeaderTimeout: 15 * time.Second,
      ReadTimeout:      15 * time.Second,
      WriteTimeout:     10 * time.Second,
      IdleTimeout:      30 * time.Second,
  }

References

• Configuring Timeouts in http.Server
• How to Set Request-Based Timeouts
• Understanding Slowloris Attacks

Associated CWE

• CWE-400: Uncontrolled Resource Consumption

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_http_http_slowloris

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_http_http_slowloris