timeout Properties

The Ioto web server supports timeout properties that improve security by limiting the duration of requests.

Timeouts

Description Collection of timeout properties
Synopsis timeouts: { "Timeout-Property": "Timeout-Value", ...}
Example timeouts: { parse: "10 secs", inactivity: "300 secs", request: "10 mins", session: "30 mins", tls: "1 day", },
Notes

All timeout values are strings, not numbers.

The string values may take human-readable suffixes which indicate the units for the value. The suffixes can be upper or lower case. The supported units are: infinite, never, sec, secs, seconds, min, mins, minute, minutes, hr, hrs, hour, hours, day, days, week, weeks, month, months, year, years.

Ioto has sensible defaults for these timeouts if not explicitly specified.

timeouts → inactivity

Description Defines the maximum duration of no I/O activity before the request will be terminated.
Synopsis inactivity: "duration"
Example inactivity: "30secs"
Notes

The inactivity timeout will be triggered if there is no read or write activity on the network connection to the client over the specified timeout period.

timeouts → parse

Description Defines the maximum duration for parsing the request HTTP headers.
Synopsis parse: "duration"
Example parse: "15secs"
Notes

The parse timeout will be triggered if Ioto cannot read and parse the HTTP headers over the specified timeout period.

It is a security attack vector to open a connection to a web server and then be very slow, or stall writing the HTTP headers. This consumes a network connection and can lead to a denial of service. Setting the parse timeout to be short will limit this attack.

timeouts → request

Description Defines the maximum duration for a request
Synopsis request: "duration"
Example request: "2mins"
Notes

The request timeout will be triggered if the request cannot be completed inside the specified timeout period.

It is good practice to set a request timeout to the maximum duration you expect the longest request to take.

timeouts → session

Description Defines the maximum duration of session inactivity for preserving session state
Synopsis session: "duration"
Example session: "1hr"
Notes

Session state will be preserved for up to the session timeout. When a client accesses or updates the session state, the timeout is restarted.

© Embedthis Software. All rights reserved.