Server has no HTTP timeouts — Slowloris risk on public endpoints #27

New issue

Open

opened 2026-05-17 23:13:08 +02:00 by heiko · 1 comment

heiko commented

2026-05-17 23:13:08 +02:00

Owner

Summary

cmd/cert-proxy-server/main.go:71 starts the server with http.Serve(listener, nil) and no http.Server struct, so ReadTimeout, WriteTimeout, and IdleTimeout are all zero (unlimited).

The endpoints /v1/cert/, /v1/chain/, and /v1/fullchain/ require no client certificate, so any anonymous TCP peer can hold connections open indefinitely (Slowloris-style).

Fix

Replace the bare http.Serve call with an explicit http.Server:

srv := &http.Server{
    ReadHeaderTimeout: 10 * time.Second,
    WriteTimeout:      30 * time.Second,
    IdleTimeout:       120 * time.Second,
}
log.Fatal(srv.Serve(listener))

## Summary `cmd/cert-proxy-server/main.go:71` starts the server with `http.Serve(listener, nil)` and no `http.Server` struct, so `ReadTimeout`, `WriteTimeout`, and `IdleTimeout` are all zero (unlimited). The endpoints `/v1/cert/`, `/v1/chain/`, and `/v1/fullchain/` require no client certificate, so any anonymous TCP peer can hold connections open indefinitely (Slowloris-style). ## Fix Replace the bare `http.Serve` call with an explicit `http.Server`: ```go srv := &http.Server{ ReadHeaderTimeout: 10 * time.Second, WriteTimeout: 30 * time.Second, IdleTimeout: 120 * time.Second, } log.Fatal(srv.Serve(listener)) ```

heiko added the

security

label

2026-05-17 23:13:08 +02:00

heiko commented

2026-05-22 11:38:23 +02:00

Author

Owner

AI attribution comment added per repository instruction for this open issue.\n\n(co)authored by ai:gpt-5-codex