保護DataHogo
Security Encyclopedia/Resource & Size Limits
lowCWE-400A05:2021

No Request Timeout

HTTP requests without server-side timeouts allow slow clients or malicious slow-body attacks to hold server connections open indefinitely.

How It Works

A 'slow HTTP attack' (Slowloris, RUDY) sends request headers or body extremely slowly — one byte every 30 seconds. Without a request timeout, each connection is held open indefinitely. A server with a connection limit of 10,000 can be DoS'd with a few hundred slow connections if there's no timeout to free them.

Vulnerable Code
// BAD: no request timeout on the HTTP server
const server = http.createServer(app);
server.listen(3000);
// Default Node.js HTTP server timeout is 0 (no timeout) in some versions
// Slow clients can hold connections open forever
Secure Code
// GOOD: configure server-level request and header timeouts
const server = http.createServer(app);
server.requestTimeout = 30_000;  // 30s to complete the full request
server.headersTimeout = 10_000;  // 10s to finish sending headers
server.listen(3000);

Real-World Example

Slowloris attacks have taken down Apache servers that had no connection timeout configured. The same attack vector applies to Node.js HTTP servers. Several npm packages exist specifically to exploit this against unprotected Node.js applications.

How to Prevent It

  • Set server.requestTimeout and server.headersTimeout on your Node.js HTTP server
  • Set connection timeouts at the reverse proxy level (Nginx keepalive_timeout, Cloudflare timeouts)
  • For serverless deployments, set function-level timeouts (they act as request timeouts)
  • Monitor your server's active connection count — a gradual increase without corresponding traffic increase indicates a slow attack

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No File Size Limit

medium

File upload endpoints without size limits allow attackers to exhaust disk space, memory, and CPU with multi-gigabyte uploads.

CWE-400A05:2021

No Request Body Limit

medium

JSON API endpoints without a body size limit can be DoS'd by sending huge JSON payloads that exhaust server memory during parsing.

CWE-400A05:2021

No Global Rate Limiting

medium

Without global rate limiting at the edge or middleware level, any endpoint can be flooded with requests until the server is overwhelmed.

CWE-770A05:2021

WebSocket Without Authentication

high

WebSocket endpoints that accept connections without verifying authentication allow unauthenticated users to receive real-time data streams meant for authenticated users.

CWE-306A01:2021