From 18ef3574104ff8fd9fea3136c6b2e9d5a9055452 Mon Sep 17 00:00:00 2001 From: toim Date: Tue, 31 Mar 2026 15:06:05 +0300 Subject: [PATCH 1/2] Add note about http.Server.WriteTimeout and SSE connection --- server.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/server.go b/server.go index ed563c50d..277dbfd63 100644 --- a/server.go +++ b/server.go @@ -109,7 +109,9 @@ func (sc StartConfig) start(ctx stdContext.Context, h http.Handler) error { ErrorLog: slog.NewLogLogger(logger.Handler(), slog.LevelError), // defaults for GoSec rule G112 // https://github.com/securego/gosec // G112 (CWE-400): Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server - ReadTimeout: 30 * time.Second, + ReadTimeout: 30 * time.Second, + // WriteTimeout is a max time allowed to write the response + // IMPORTANT: set this to 0 when using Server-Sent-Events (SSE) WriteTimeout: 30 * time.Second, } From 952452a14c3a633433b0752fbe706fc3c24eb7c4 Mon Sep 17 00:00:00 2001 From: toim Date: Tue, 31 Mar 2026 15:16:42 +0300 Subject: [PATCH 2/2] Do not set http.Server.WriteTimeout in StartConfig this is bad for SSE and static file serving --- server.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server.go b/server.go index 277dbfd63..ff2136fec 100644 --- a/server.go +++ b/server.go @@ -111,8 +111,8 @@ func (sc StartConfig) start(ctx stdContext.Context, h http.Handler) error { // G112 (CWE-400): Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server ReadTimeout: 30 * time.Second, // WriteTimeout is a max time allowed to write the response - // IMPORTANT: set this to 0 when using Server-Sent-Events (SSE) - WriteTimeout: 30 * time.Second, + // IMPORTANT: set this to 0 when using Server-Sent-Events (SSE) or some larger duration when serving static files + // WriteTimeout: 30 * time.Second, } listener := sc.Listener