security: add HTTP server timeouts (ai:gpt-5) #54

New issue

Closed

opened 2026-05-23 22:20:58 +02:00 by heiko · 1 comment

heiko commented 2026-05-23 22:20:58 +02:00

Owner

Copy link

Finding from a whole-codebase security review.

Affected code:

• cmd/once-server/serve.go:142-148 calls http.ListenAndServeTLS or http.ListenAndServe directly with the default server settings.

Impact:
The default net/http server has no ReadHeaderTimeout, ReadTimeout, WriteTimeout, or IdleTimeout. An unauthenticated client can hold connections open slowly and consume server resources, especially when Once is exposed directly or when a reverse proxy does not fully absorb slow clients.

Suggested fix:

• Instantiate an http.Server explicitly with conservative timeouts.
• Make timeout values configurable if needed, but keep safe defaults.
• Keep compatibility with both direct TLS and HTTP-behind-proxy modes.
• Add tests or at least configuration coverage for the timeout defaults.

Finding from a whole-codebase security review. Affected code: - cmd/once-server/serve.go:142-148 calls `http.ListenAndServeTLS` or `http.ListenAndServe` directly with the default server settings. Impact: The default `net/http` server has no `ReadHeaderTimeout`, `ReadTimeout`, `WriteTimeout`, or `IdleTimeout`. An unauthenticated client can hold connections open slowly and consume server resources, especially when Once is exposed directly or when a reverse proxy does not fully absorb slow clients. Suggested fix: - Instantiate an `http.Server` explicitly with conservative timeouts. - Make timeout values configurable if needed, but keep safe defaults. - Keep compatibility with both direct TLS and HTTP-behind-proxy modes. - Add tests or at least configuration coverage for the timeout defaults.

heiko referenced this issue from a commit 2026-05-24 17:36:54 +02:00

Add configurable HTTP server timeouts

heiko added the

security

label 2026-05-24 18:44:09 +02:00

heiko referenced this issue from a pull request that will close it, 2026-05-24 18:52:03 +02:00

Fix #54: add HTTP server timeouts #60

heiko commented 2026-05-24 20:15:50 +02:00

Author

Owner

Copy link

Fixed by commit f407586 (Add configurable HTTP server timeouts).

Implements all four timeouts:

• ReadHeaderTimeout: 5s
• ReadTimeout: 30s
• WriteTimeout: 1m
• IdleTimeout: 2m

Timeouts are configurable via TOML config. Security review confirmed proper implementation with comprehensive test coverage.

Fixed by commit f407586 (Add configurable HTTP server timeouts). Implements all four timeouts: - ReadHeaderTimeout: 5s - ReadTimeout: 30s - WriteTimeout: 1m - IdleTimeout: 2m Timeouts are configurable via TOML config. Security review confirmed proper implementation with comprehensive test coverage.

heiko closed this issue 2026-05-24 20:15:59 +02:00

heiko referenced this issue 2026-05-24 20:50:14 +02:00

security: comprehensive fixes for issues #48, #50, #51, #52, #53 ai:claude-sonnet-4-5 #61

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

nagonag/update-master

fix/44-log-removal-details

debian

once.css

dev

v2.5.13-0.20260527114056-db01c609fc25

deb/v2.5.12-1

v2.5.12

deb/v2.5.11-1

v2.5.11

deb/v2.5.10-0.20260524190140-f81a5573a1da-2

deb/v2.5.10-0.20260524190140-f81a5573a1da-1

v2.5.10-0.20260524190140-f81a5573a1da

v2.5.10-0.20260524132651-90531c0633c8

v2.5.9

v2.5.9-0.20260524121920-a8bd0d1e45a4

v2.5.9-0.20260524115638-1a8fe03c73c5

deb/v2.5.8-1

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.4-0.20250910115912-7b669c0bd9aa

v0.0.0-20250910115912-7b669c0bd9aa

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v0.0.0-20250519211121-6ae54abed7ef

v2.4.4

v2.4.3

debian/2.4.2-1

v2.4.2

debian/2.4.1-1

v2.4.1

debian/2.4-1

v2.4

v2.3

debian/2.2-1-g04382ef-1

v2.2-1-g04382ef

debian/2.2-1

v2.2

debian/2.1-1

v2.1

debian/2.0-1

v2.0

debian/1.3-1-gbfa9b7c-1

v1.3-1-gbfa9b7c

debian/1.3-1

v1.3

debian/1.2-11-g73e5390-1

1.2-11-g73e5390

debian/1.2-1

1.2

debian/1.1-1

1.1

debian/1.0-1

1.0

debian/0.3-4-gf628485-1

0.3-4-gf628485

debian/0.3-3-g94ce876-1

0.3-3-g94ce876

debian/0.3-2

0.3

debian/0.2.5-7

debian/0.2.5-6

debian/0.2.5-5

debian/0.2.5-4

debian/0.2.5-3

debian/0.2.5-2

debian/0.2.5-1

0.2.5

debian/0.2.4-1

0.2.4

debian/0.2.3-1

0.2.3

debian/0.2.2-0

0.2.2

0.2.1

0.2

0.1

Labels

Clear labels   

nagonag

Automated dependency scan finding

  

nagonag/ignore

Ignore this nagonag finding

  

bug

Something is not working

  

doc

Missing or wrong documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

security

This is security relevant

  

wontfix

This won't be fixed

No labels

nagonag

nagonag/ignore

bug

doc

duplicate

enhancement

help wanted

invalid

question

security

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

IUS/once#54

No description provided.