security: add HTTP server timeouts to prevent slowloris attacks

Configure HTTP server with sensible timeouts: - ReadTimeout: 30s (time to read entire request) - WriteTimeout: 30s (time to write response) - IdleTimeout: 120s (keep-alive connection timeout) - ReadHeaderTimeout: 10s (time to read request headers) For SSE connections, use http.ResponseController to extend write deadlines before each write, preventing timeout on long-lived streams while still protecting against slow clients. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 22:05:33 +01:00
parent 149832e4e5
commit 1565cb5e1b
2 changed files with 119 additions and 9 deletions
--- a/internal/mcp/transport_http.go
+++ b/internal/mcp/transport_http.go
@@ -13,18 +13,28 @@ import (

 // HTTPConfig configures the HTTP transport.
 type HTTPConfig struct {
-	Address        string        // Listen address (e.g., "127.0.0.1:8080")
-	Endpoint       string        // MCP endpoint path (e.g., "/mcp")
-	AllowedOrigins []string      // Allowed Origin headers for CORS (empty = localhost only)
-	SessionTTL     time.Duration // Session TTL (default: 30 minutes)
-	TLSCertFile    string        // TLS certificate file (optional)
-	TLSKeyFile     string        // TLS key file (optional)
-	MaxRequestSize int64         // Maximum request body size in bytes (default: 1MB)
+	Address           string        // Listen address (e.g., "127.0.0.1:8080")
+	Endpoint          string        // MCP endpoint path (e.g., "/mcp")
+	AllowedOrigins    []string      // Allowed Origin headers for CORS (empty = localhost only)
+	SessionTTL        time.Duration // Session TTL (default: 30 minutes)
+	TLSCertFile       string        // TLS certificate file (optional)
+	TLSKeyFile        string        // TLS key file (optional)
+	MaxRequestSize    int64         // Maximum request body size in bytes (default: 1MB)
+	ReadTimeout       time.Duration // HTTP server read timeout (default: 30s)
+	WriteTimeout      time.Duration // HTTP server write timeout (default: 30s)
+	IdleTimeout       time.Duration // HTTP server idle timeout (default: 120s)
+	ReadHeaderTimeout time.Duration // HTTP server read header timeout (default: 10s)
 }

 const (
 	// DefaultMaxRequestSize is the default maximum request body size (1MB).
 	DefaultMaxRequestSize = 1 << 20 // 1MB
+
+	// Default HTTP server timeouts
+	DefaultReadTimeout       = 30 * time.Second
+	DefaultWriteTimeout      = 30 * time.Second
+	DefaultIdleTimeout       = 120 * time.Second
+	DefaultReadHeaderTimeout = 10 * time.Second
 )

 // HTTPTransport implements the MCP Streamable HTTP transport.
@@ -48,6 +58,18 @@ func NewHTTPTransport(server *Server, config HTTPConfig) *HTTPTransport {
 	if config.MaxRequestSize == 0 {
 		config.MaxRequestSize = DefaultMaxRequestSize
 	}
+	if config.ReadTimeout == 0 {
+		config.ReadTimeout = DefaultReadTimeout
+	}
+	if config.WriteTimeout == 0 {
+		config.WriteTimeout = DefaultWriteTimeout
+	}
+	if config.IdleTimeout == 0 {
+		config.IdleTimeout = DefaultIdleTimeout
+	}
+	if config.ReadHeaderTimeout == 0 {
+		config.ReadHeaderTimeout = DefaultReadHeaderTimeout
+	}

 	return &HTTPTransport{
 		server:   server,
@@ -62,8 +84,12 @@ func (t *HTTPTransport) Run(ctx context.Context) error {
 	mux.HandleFunc(t.config.Endpoint, t.handleMCP)

 	httpServer := &http.Server{
-		Addr:    t.config.Address,
-		Handler: mux,
+		Addr:              t.config.Address,
+		Handler:           mux,
+		ReadTimeout:       t.config.ReadTimeout,
+		WriteTimeout:      t.config.WriteTimeout,
+		IdleTimeout:       t.config.IdleTimeout,
+		ReadHeaderTimeout: t.config.ReadHeaderTimeout,
 		BaseContext: func(l net.Listener) context.Context {
 			return ctx
 		},
@@ -264,6 +290,9 @@ func (t *HTTPTransport) handleGet(w http.ResponseWriter, r *http.Request) {
 	}
 	flusher.Flush()

+	// Use ResponseController to manage write deadlines for long-lived SSE connections
+	rc := http.NewResponseController(w)
+
 	// Stream notifications
 	ctx := r.Context()
 	for {
@@ -276,6 +305,11 @@ func (t *HTTPTransport) handleGet(w http.ResponseWriter, r *http.Request) {
 				return
 			}

+			// Extend write deadline before each write
+			if err := rc.SetWriteDeadline(time.Now().Add(30 * time.Second)); err != nil {
+				t.server.logger.Printf("Failed to set write deadline: %v", err)
+			}
+
 			data, err := json.Marshal(notification)
 			if err != nil {
 				t.server.logger.Printf("Failed to marshal notification: %v", err)