Home Ioto Features Download Licensing
Getting Started Quick Start Building Ioto Running Ioto Release Notes
User Guide Ioto Architecture Configuration Configuration Properties Provisioning Devices State Management OTA Upgrading Tracing Man Pages Ioto Project
Developers Guide Embedding Ioto URL Client JSON Parser Safe Runtime Fiber Coroutines Memory Allocation Samples
AWS IoT Integration
MQTT Guide
Web Server Guide Web Server Overview Configuration Configuration Properties Listening for Connections Request Routing Authentication Dynamic Content File Upload TLS / SSL Security Considerations
Ioto API Reference Compatibility APIs
Samples link-library link-main url-fetch url-get web-auth web-dynamic web-static web-upload
Project Resources Ioto News Ioto Web Site Ioto Repository Ioto Security Alerts Project Issue Database
Links Embedthis Web Site Embedthis Blog Twitter
Embedthis Ioto Site Ioto News Repository Blog Twitter
Home
/
Web Server Guide
/
Properties
/
Limits

timeout Properties

The Ioto web server supports timeout properties that improve security by limiting the duration of requests.

Timeouts

Description Collection of timeout properties
Synopsis timeouts: { "Timeout-Property": "Timeout-Value", ...}
Example timeouts: { parse: "10 secs", inactivity: "300 secs", request: "10 mins", session: "30 mins", tls: "1 day", },
Notes

All timeout values are strings, not numbers.

The string values may take human-readable suffixes which indicate the units for the value. The suffixes can be upper or lower case. The supported units are: infinite, never, sec, secs, seconds, min, mins, minute, minutes, hr, hrs, hour, hours, day, days, week, weeks, month, months, year, years.

Ioto has sensible defaults for these timeouts if not explicitly specified.

timeouts → inactivity

Description Defines the maximum duration of no I/O activity before the request will be terminated.
Synopsis inactivity: "duration"
Example inactivity: "30secs"
Notes

The inactivity timeout will be triggered if there is no read or write activity on the network connection to the client over the specified timeout period.

timeouts → parse

Description Defines the maximum duration for parsing the request HTTP headers.
Synopsis parse: "duration"
Example parse: "15secs"
Notes

The parse timeout will be triggered if Ioto cannot read and parse the HTTP headers over the specified timeout period.

It is a security attack vector to open a connection to a web server and then be very slow, or stall writing the HTTP headers. This consumes a network connection and can lead to a denial of service. Setting the parse timeout to be short will limit this attack.

timeouts → request

Description Defines the maximum duration for a request
Synopsis request: "duration"
Example request: "2mins"
Notes

The request timeout will be triggered if the request cannot be completed inside the specified timeout period.

It is good practice to set a request timeout to the maximum duration you expect the longest request to take.

timeouts → session

Description Defines the maximum duration of session inactivity for preserving session state
Synopsis session: "duration"
Example session: "1hr"
Notes

Session state will be preserved for up to the session timeout. When a client accesses or updates the session state, the timeout is restarted.

© Embedthis Software. All rights reserved.