I have spring boot application that uses embedded tomcat and i want to set mod_reqtimeout to prevent slow http dos attack. how can i set or initialize this module in spring boot configurations?
acunetix shows this warning:
Your web server is vulnerable to Slow HTTP DoS (Denial of Service) attacks. Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service.
and when i googled this warning i see that should set mod_reqtimeout as you can see below:
I resolved the problem with injecting this below bean and set the connection timeout of connector:
@Bean
public EmbeddedServletContainerFactory servletContainerFactory() {
TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
factory.addConnectorCustomizers(connector ->
((AbstractProtocol) connector.getProtocolHandler()).setConnectionTimeout(8000));
return factory;
}