Uncontrolled resource consumption (Slowloris)

Description

The server configuration lacks a ReadHeaderTimeout, making it vulnerable to a Slowloris attack. This type of attack occurs when an attacker opens multiple connections to the server but sends only partial requests. The server keeps each connection open, waiting for the headers to be completed, ultimately leading to resource exhaustion.

Remediations

To protect against such attacks, the following steps should be taken:

❌ Avoid Default Serve Functions for Production

Do not use http.ListenAndServe and http.Serve in a production environment, as they do not support timeout settings.

✅ Configure http.Server with Timeouts

Establish a custom http.Server instance with appropriate timeouts to prevent attackers from exploiting the lack of ReadHeaderTimeout.

import (
"net/http"
"time"
"log"
)

func main() {
srv := &http.Server{
Addr: "localhost:8000",
ReadHeaderTimeout: 15 * time.Second,
ReadTimeout: 15 * time.Second,
WriteTimeout: 10 * time.Second,
IdleTimeout: 30 * time.Second,
}

if err := srv.ListenAndServe(); err != nil {
log.Fatal(err)
}
}

✅ Enforce Request Timeouts

Implement http.TimeoutHandler to apply timeouts to individual HTTP handlers, which starts counting down only after the headers have been read.

Resources

Associated CWE

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_http_http_slowloris

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_http_http_slowloris

Ready to take the next step? Learn more about Bearer Cloud.