From 4d8b8339c010c9c82385cd6748ded9c4048a2b57 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Thu, 29 Feb 2024 12:32:55 -0600 Subject: [PATCH] chore: configure agent server to avoid slowloris attack (#2342) ## Description - included timeout to avoid slowloris attack - `gosec` https://github.com/securego/gosec G112: Potential slowloris attack ## Related Issue Fixes # Relates to # ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- src/internal/agent/http/server.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/internal/agent/http/server.go b/src/internal/agent/http/server.go index 4087308d3a..86ff5e828f 100644 --- a/src/internal/agent/http/server.go +++ b/src/internal/agent/http/server.go @@ -7,6 +7,7 @@ package http import ( "fmt" "net/http" + "time" "github.com/defenseunicorns/zarf/src/internal/agent/hooks" "github.com/defenseunicorns/zarf/src/pkg/message" @@ -34,8 +35,9 @@ func NewAdmissionServer(port string) *http.Server { mux.Handle("/metrics", promhttp.Handler()) return &http.Server{ - Addr: fmt.Sprintf(":%s", port), - Handler: mux, + Addr: fmt.Sprintf(":%s", port), + Handler: mux, + ReadHeaderTimeout: 5 * time.Second, // Set ReadHeaderTimeout to avoid Slowloris attacks } } @@ -49,8 +51,9 @@ func NewProxyServer(port string) *http.Server { mux.Handle("/metrics", promhttp.Handler()) return &http.Server{ - Addr: fmt.Sprintf(":%s", port), - Handler: mux, + Addr: fmt.Sprintf(":%s", port), + Handler: mux, + ReadHeaderTimeout: 5 * time.Second, // Set ReadHeaderTimeout to avoid Slowloris attacks } }