From 1939d18ba8d25fa43d3ed3b008fed474bfdc881b Mon Sep 17 00:00:00 2001
From: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Date: Thu, 7 May 2026 16:00:14 +0200
Subject: [PATCH] fix: add server timeouts to prevent goroutine/memory leak
 from idle keep-alive connections

Without IdleTimeout, clients holding keep-alive connections open indefinitely
caused server-side goroutines (and their ~16KB of buffers) to accumulate
linearly until OOM.
---
 pkg/server/server.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/server/server.go b/pkg/server/server.go
index 22b4617..eef1d44 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -17,8 +17,12 @@ import (
 
 func Start(cfg *config.Config, r chi.Router) error {
 	server := http.Server{
-		Addr:    cfg.BindAddress,
-		Handler: r,
+		Addr:              cfg.BindAddress,
+		Handler:           r,
+		ReadHeaderTimeout: 10 * time.Second, // Prevents slowloris attacks (connections held open without sending headers).
+		IdleTimeout:       90 * time.Second, // Reclaims idle keep-alive connections; without this, goroutines and buffers leak indefinitely.
+		MaxHeaderBytes:    1 << 16,          // 64KB
+		// ReadTimeout/WriteTimeout intentionally omitted - a reverse proxy must support slow transfers.
 	}
 
 	serverCtx, serverStopCtx := context.WithCancel(context.Background())