Uncontrolled resource consumption (Slowloris)
- Rule ID: go_gosec_http_http_slowloris
- Languages: go
- Source: http_slowloris.yml
Description
The server configuration lacks a ReadHeaderTimeout
, making it vulnerable to a Slowloris attack. This type of attack occurs when an attacker opens multiple connections to the server but sends only partial requests. The server keeps each connection open, waiting for the headers to be completed, ultimately leading to resource exhaustion.
Remediations
To protect against such attacks, the following steps should be taken:
❌ Avoid Default Serve Functions for Production
Do not use http.ListenAndServe
and http.Serve
in a production environment, as they do not support timeout settings.
✅ Configure http.Server
with Timeouts
Establish a custom http.Server
instance with appropriate timeouts to prevent attackers from exploiting the lack of ReadHeaderTimeout
.
import (
"net/http"
"time"
"log"
)
func main() {
srv := &http.Server{
Addr: "localhost:8000",
ReadHeaderTimeout: 15 * time.Second,
ReadTimeout: 15 * time.Second,
WriteTimeout: 10 * time.Second,
IdleTimeout: 30 * time.Second,
}
if err := srv.ListenAndServe(); err != nil {
log.Fatal(err)
}
}
✅ Enforce Request Timeouts
Implement http.TimeoutHandler
to apply timeouts to individual HTTP handlers, which starts counting down only after the headers have been read.
Resources
- Configuring Timeouts in http.Server
- How to Set Request-Based Timeouts
- Understanding Slowloris Attacks
Associated CWE
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_http_http_slowloris
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_http_http_slowloris
Ready to take the next step? Learn more about Bearer Cloud.