DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Use of net/http's ListenAndServe function has no support for setting timeouts GO-S2114

Security
Major
 a05 owasp top 10 cwe-400

HTTP timeouts are necessary to expire inactive connections and failing to do so might make the application vulnerable to attacks like slowloris which work by sending data very slow, which in case of no timeout will keep the connection active eventually leading to a denial-of-service (DoS) attack.

Bad practice

package main

import (
    "fmt"
    "time"
    "net/http"
)

func main() {
    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:])
    })

    err := http.ListenAndServe(":1234", nil)
    if err != nil {
        panic(err)
    }
}

Recommended

package main

import (
    "fmt"
    "time"
    "net/http"
)

func main() {
    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        fmt.Fprintf(w, "Hello, %s!", r.URL.Path[1:])
    })

    server := &http.Server{
        Addr:              ":1234",
        ReadHeaderTimeout: 3 * time.Second,
    }

    err := server.ListenAndServe()
    if err != nil {
        panic(err)
    }
}

References