Add ReadHeaderTimeout for security

Closes #821 Signed-off-by: Doug Davis <dug@microsoft.com>
cloudevents · Dec 8, 2022 · 54d75c1 · 54d75c1
1 parent 2298be0
commit 54d75c1
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/v2/protocol/http/abuse_protection.go b/v2/protocol/http/abuse_protection.go
@@ -23,6 +23,7 @@ type WebhookConfig struct {
 
 const (
 	DefaultAllowedRate = 1000
+	DefaultReadTimeout = time.Second * 600
 )
 
 // TODO: implement rate limiting.

diff --git a/v2/protocol/http/protocol_lifecycle.go b/v2/protocol/http/protocol_lifecycle.go
@@ -11,6 +11,7 @@ import (
 	"net"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/cloudevents/sdk-go/v2/protocol"
 )
@@ -38,8 +39,9 @@ func (p *Protocol) OpenInbound(ctx context.Context) error {
 	}
 
 	p.server = &http.Server{
-		Addr:    listener.Addr().String(),
-		Handler: attachMiddleware(p.Handler, p.middleware),
+		Addr:              listener.Addr().String(),
+		Handler:           attachMiddleware(p.Handler, p.middleware),
+		ReadHeaderTimeout: DefaultReadTimeout,
 	}
 
 	// Shutdown
-Original file line number
+Diff line change
@@ Expand Up / @@ -23,6 +23,7 @@ type WebhookConfig struct { @@
     const (
     	DefaultAllowedRate = 1000
+    	DefaultReadTimeout = time.Second * 600
     )
     // TODO: implement rate limiting.
@@ Expand Down @@