Fix Lack of Resources & Rate Limiting in Echo
Unthrottled endpoints are a low-hanging fruit for DoS. If you aren't limiting requests, an attacker can weaponize your own infrastructure to exhaust CPU, memory, or DB connection pools. In Echo, failing to implement rate limiting middleware and failing to set server-level timeouts leaves you vulnerable to resource exhaustion and slowloris-style attacks.
The Vulnerable Pattern
package mainimport ( “github.com/labstack/echo/v4” “net/http” )
func main() { e := echo.New()
// VULNERABLE: No rate limiting, no timeouts, no request body size limits. e.GET("/process", func(c echo.Context) error { return c.String(http.StatusOK, "Processing expensive task...") }) e.Logger.Fatal(e.Start(":1323"))
}
The Secure Implementation
The secure implementation hardens the Echo instance using three layers of defense: 1. BodyLimit middleware prevents attackers from sending massive payloads that crash the process via OOM (Out of Memory). 2. RateLimiter middleware uses a token bucket algorithm to track the RealIP of the caller, allowing 10 requests per second with a burst capacity of 20; excess requests are dropped with a 429 status. 3. The custom http.Server configuration enforces Read/Write timeouts, which is critical to prevent 'Slowloris' attacks where an attacker keeps connections open indefinitely by sending data extremely slowly.
package mainimport ( “net/http” “time”
"github.com/labstack/echo/v4" "github.com/labstack/echo/v4/middleware" "golang.org/x/time/rate")
func main() { e := echo.New()
// 1. Limit Request Body Size to prevent memory exhaustion e.Use(middleware.BodyLimit("2M")) // 2. Implement Rate Limiting (Token Bucket) config := middleware.RateLimiterConfig{ Skipper: middleware.DefaultSkipper, Store: middleware.NewRateLimiterMemoryStoreWithConfig( middleware.RateLimiterMemoryStoreConfig{Rate: rate.Limit(10), Burst: 20, ExpiresIn: 3 * time.Minute}, ), IdentifierExtractor: func(ctx echo.Context) (string, error) { return ctx.RealIP(), nil }, } e.Use(middleware.RateLimiterWithConfig(config)) // 3. Set Hard Server Timeouts s := &http.Server{ Addr: ":1323", ReadTimeout: 5 * time.Second, WriteTimeout: 10 * time.Second, IdleTimeout: 120 * time.Second, } e.GET("/process", func(c echo.Context) error { return c.String(http.StatusOK, "Request Throttled & Protected") }) e.Logger.Fatal(e.StartServer(s))
}
Your Echo API
might be exposed to Lack of Resources & Rate Limiting
74% of Echo apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.