Uncontrolled resource consumption (Slowloris)

• Rule ID: go_gosec_http_http_slowloris
• Languages: go
• Source: http_slowloris.yml

Description

The server configuration lacks a ReadHeaderTimeout, making it vulnerable to a Slowloris attack. This type of attack occurs when an attacker opens multiple connections to the server but sends only partial requests. The server keeps each connection open, waiting for the headers to be completed, ultimately leading to resource exhaustion.

Remediations

To protect against such attacks, the following steps should be taken:

❌ Avoid Default Serve Functions for Production

Do not use http.ListenAndServe and http.Serve in a production environment, as they do not support timeout settings.

✅ Configure http.Server with Timeouts

Establish a custom http.Server instance with appropriate timeouts to prevent attackers from exploiting the lack of ReadHeaderTimeout.

import (
    "net/http"
    "time"
    "log"
)

func main() {
    srv := &http.Server{
        Addr: "localhost:8000",
        ReadHeaderTimeout: 15 * time.Second,
        ReadTimeout: 15 * time.Second,
        WriteTimeout: 10 * time.Second,
        IdleTimeout: 30 * time.Second,
    }

    if err := srv.ListenAndServe(); err != nil {
        log.Fatal(err)
    }
}

✅ Enforce Request Timeouts

Implement http.TimeoutHandler to apply timeouts to individual HTTP handlers, which starts counting down only after the headers have been read.

Resources

• Configuring Timeouts in http.Server
• How to Set Request-Based Timeouts
• Understanding Slowloris Attacks

Associated CWE

• CWE-400: Uncontrolled Resource Consumption

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_http_http_slowloris

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_http_http_slowloris