diff options
author | Paolo Insogna <paolo@cowtech.it> | 2022-04-13 17:47:59 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-13 17:47:59 +0300 |
commit | 3caa2c1a005652fdb3e896ef940cd5ffe5fdff10 (patch) | |
tree | f8e9e9bfe7c95d5633c86e021518f487a9eadb8f /doc | |
parent | 9d6af7d1fe66afdcb781fb5bad37b4cb4d396f0e (diff) |
http: refactor headersTimeout and requestTimeout logic
PR-URL: https://github.com/nodejs/node/pull/41263
Fixes: https://github.com/nodejs/node/issues/33440
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/api/http.md | 45 |
1 files changed, 35 insertions, 10 deletions
diff --git a/doc/api/http.md b/doc/api/http.md index 5c3c7d9a7a7..851679dfc31 100644 --- a/doc/api/http.md +++ b/doc/api/http.md @@ -1364,15 +1364,12 @@ added: Limit the amount of time the parser will wait to receive the complete HTTP headers. -In case of inactivity, the rules defined in [`server.timeout`][] apply. However, -that inactivity based timeout would still allow the connection to be kept open -if the headers are being sent very slowly (by default, up to a byte per 2 -minutes). In order to prevent this, whenever header data arrives an additional -check is made that more than `server.headersTimeout` milliseconds has not -passed since the connection was established. If the check fails, a `'timeout'` -event is emitted on the server object, and (by default) the socket is destroyed. -See [`server.timeout`][] for more information on how timeout behavior can be -customized. +If the timeout expires, the server responds with status 408 without +forwarding the request to the request listener and then closes the connection. + +It must be set to a non-zero value (e.g. 120 seconds) to protect against +potential Denial-of-Service attacks in case the server is deployed without a +reverse proxy in front. ### `server.listen()` @@ -1401,9 +1398,14 @@ Limits maximum incoming headers count. If set to 0, no limit will be applied. <!-- YAML added: v14.11.0 +changes: + - version: REPLACEME + pr-url: https://github.com/nodejs/node/pull/41263 + description: The default request timeout changed + from no timeout to 300s (5 minutes). --> -* {number} **Default:** `0` +* {number} **Default:** `300000` Sets the timeout value in milliseconds for receiving the entire request from the client. @@ -2857,6 +2859,10 @@ Found'`. added: v0.1.13 changes: - version: REPLACEME + pr-url: https://github.com/nodejs/node/pull/41263 + description: The `requestTimeout`, `headersTimeout`, `keepAliveTimeout` and + `connectionsCheckingInterval` are supported now. + - version: REPLACEME pr-url: https://github.com/nodejs/node/pull/42163 description: The `noDelay` option now defaults to `true`. - version: v17.7.0 @@ -2886,6 +2892,22 @@ changes: * `ServerResponse` {http.ServerResponse} Specifies the `ServerResponse` class to be used. Useful for extending the original `ServerResponse`. **Default:** `ServerResponse`. + * `requestTimeout`: Sets the timeout value in milliseconds for receiving + the entire request from the client. + See [`server.requestTimeout`][] for more information. + **Default:** `300000`. + * `headersTimeout`: Sets the timeout value in milliseconds for receiving + the complete HTTP headers from the client. + See [`server.headersTimeout`][] for more information. + **Default:** `60000`. + * `keepAliveTimeout`: The number of milliseconds of inactivity a server + needs to wait for additional incoming data, after it has finished writing + the last response, before a socket will be destroyed. + See [`server.keepAliveTimeout`][] for more information. + **Default:** `5000`. + * `connectionsCheckingInterval`: Sets the interval value in milliseconds to + check for request and headers timeout in incomplete requests. + **Default:** `30000`. * `insecureHTTPParser` {boolean} Use an insecure HTTP parser that accepts invalid HTTP headers when `true`. Using the insecure parser should be avoided. See [`--insecure-http-parser`][] for more information. @@ -3478,7 +3500,10 @@ try { [`response.write(data, encoding)`]: #responsewritechunk-encoding-callback [`response.writeContinue()`]: #responsewritecontinue [`response.writeHead()`]: #responsewriteheadstatuscode-statusmessage-headers +[`server.headersTimeout`]: #serverheaderstimeout +[`server.keepAliveTimeout`]: #serverkeepalivetimeout [`server.listen()`]: net.md#serverlisten +[`server.requestTimeout`]: #serverrequesttimeout [`server.timeout`]: #servertimeout [`setHeader(name, value)`]: #requestsetheadername-value [`socket.connect()`]: net.md#socketconnectoptions-connectlistener |