timeout Properties
The Ioto web server supports timeout properties that improve security by limiting the duration of requests.
Timeouts
Description | Collection of timeout properties |
Synopsis | timeouts: { "Timeout-Property": "Timeout-Value", ...} |
Example |
timeouts: {
parse: "10 secs",
inactivity: "300 secs",
request: "10 mins",
session: "30 mins",
tls: "1 day",
},
|
Notes |
All timeout values are strings, not numbers. The string values may take human-readable suffixes which indicate the units for the value. The suffixes can be upper or lower case. The supported units are: infinite, never, sec, secs, seconds, min, mins, minute, minutes, hr, hrs, hour, hours, day, days, week, weeks, month, months, year, years. Ioto has sensible defaults for these timeouts if not explicitly specified. |
timeouts → inactivity
Description | Defines the maximum duration of no I/O activity before the request will be terminated. |
Synopsis | inactivity: "duration" |
Example | inactivity: "30secs" |
Notes |
The inactivity timeout will be triggered if there is no read or write activity on the network connection to the client over the specified timeout period. |
timeouts → parse
Description | Defines the maximum duration for parsing the request HTTP headers. |
Synopsis | parse: "duration" |
Example | parse: "15secs" |
Notes |
The parse timeout will be triggered if Ioto cannot read and parse the HTTP headers over the specified timeout period. It is a security attack vector to open a connection to a web server and then be very slow, or stall writing the HTTP headers. This consumes a network connection and can lead to a denial of service. Setting the parse timeout to be short will limit this attack. |
timeouts → request
Description | Defines the maximum duration for a request |
Synopsis | request: "duration" |
Example | request: "2mins" |
Notes |
The request timeout will be triggered if the request cannot be completed inside the specified timeout period. It is good practice to set a request timeout to the maximum duration you expect the longest request to take. |
timeouts → session
Description | Defines the maximum duration of session inactivity for preserving session state |
Synopsis | session: "duration" |
Example | session: "1hr" |
Notes |
Session state will be preserved for up to the session timeout. When a client accesses or updates the session state, the timeout is restarted. |