Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Configure HTTP server timeouts for public listeners

Public Go HTTP servers should use `http.Server` with read, write, idle, and header timeouts instead of convenience `ListenAndServe` helpers or incomplete literals.

#Metadata

Rule ID
go.security.net-http-missing-timeouts
Severity
medium
Confidence
0.7
Languages
go
Presets
security, strict
Stability
experimental
Applies to
block
Tags
go, net/http, rules-catalog, security

#Why it matters

Missing timeouts enable slowloris-style resource exhaustion and hung connections on internet-facing services.

#Remediation

Construct `http.Server` with `ReadHeaderTimeout`, `ReadTimeout`, `WriteTimeout`, and `IdleTimeout`, and prefer `ListenAndServe` on that configured instance.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/go/go.security.net-http-missing-timeouts.rule.yaml.

Back to directoryOpen rule in repository