From efab88dbe1f3e824a86afb920f0438992ef708ed Mon Sep 17 00:00:00 2001
From: Doug Davis <dug@microsoft.com>
Date: Thu, 8 Dec 2022 12:32:36 +0000
Subject: [PATCH] Add ReadHeaderTimeout for security

Closes #821

Signed-off-by: Doug Davis <dug@microsoft.com>
---
 v2/protocol/http/abuse_protection.go   | 2 ++
 v2/protocol/http/protocol_lifecycle.go | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/v2/protocol/http/abuse_protection.go b/v2/protocol/http/abuse_protection.go
index 89222a20c..48f03fb6c 100644
--- a/v2/protocol/http/abuse_protection.go
+++ b/v2/protocol/http/abuse_protection.go
@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
+	"time"
 )
 
 type WebhookConfig struct {
@@ -23,6 +24,7 @@ type WebhookConfig struct {
 
 const (
 	DefaultAllowedRate = 1000
+	DefaultTimeout     = time.Second * 600
 )
 
 // TODO: implement rate limiting.
diff --git a/v2/protocol/http/protocol_lifecycle.go b/v2/protocol/http/protocol_lifecycle.go
index dacfd30f6..04ef96915 100644
--- a/v2/protocol/http/protocol_lifecycle.go
+++ b/v2/protocol/http/protocol_lifecycle.go
@@ -38,8 +38,10 @@ func (p *Protocol) OpenInbound(ctx context.Context) error {
 	}
 
 	p.server = &http.Server{
-		Addr:    listener.Addr().String(),
-		Handler: attachMiddleware(p.Handler, p.middleware),
+		Addr:         listener.Addr().String(),
+		Handler:      attachMiddleware(p.Handler, p.middleware),
+		ReadTimeout:  DefaultTimeout,
+		WriteTimeout: DefaultTimeout,
 	}
 
 	// Shutdown