Use of net/http's ListenAndServe function has no support for setting timeouts in workhorse/main
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
DESCRIPTION:
HTTP timeouts are necessary to expire inactive connections and failing to do so might make the application vulnerable to attacks like slowloris which work by sending data very slow, which in case of no timeout will keep the connection active eventually leading to a denial-of-service (DoS) attack.
BAD PRACTICE EXAMPLE:
package main
import ( "fmt" "time" "net/http" )
func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) })
err := http.ListenAndServe(":1234", nil)
if err != nil {
panic(err)
}}
RECOMMENDED EXAMPLE:
package main
import ( "fmt" "time" "net/http" )
func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:]) })
server := &http.Server{
Addr: ":1234",
ReadHeaderTimeout: 3 * time.Second,
}
err := server.ListenAndServe()
if err != nil {
panic(err)
}}
Find the code here:
Use of net/http serve function that has no support for setting timeouts in:
workhorse/main.go on line 207.
return fmt.Errorf("pprofListenAddr: %v", err)
}
go func() { finalErrors <- http.Serve(l, nil) }()
}
monitoringOpts := []monitoring.Option{monitoring.WithBuildInformation(Version, BuildTime)}