Insecure HTTP Server Configuration
Description
Go's `net/http` serve functions may be vulnerable to resource consumption attacks if timeouts are not properly configured prior to starting the HTTP server. An adversary may open up thousands of connections but never complete sending all data, or never terminate the connections. This may lead to the server no longer accepting new connections.
Examples
Insecure Code
go
http.ListenAndServe(":8000", nil)Secure Code
go
srv := &http.Server{
Addr: "localhost:8000",
ReadHeaderTimeout: 15 * time.Second,
ReadTimeout: 15 * time.Second,
WriteTimeout: 10 * time.Second,
IdleTimeout: 30 * time.Second,
}; srv.ListenAndServe()Remediation
Configure timeouts in the `net/http` server prior to calling the listen or serve functions by creating a custom `http.Server` object with the timeouts configured.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0788 |
| Category | InsecureConfig |
| Severity | LOW |
| CWE | CWE-770 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | resource consumption, slowloris attack |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |