Fix Unrestricted Resource Consumption in Echo

Unrestricted resource consumption in Echo is a classic DoS vector. By default, Echo doesn't cap request body sizes or enforce strict timeouts, meaning an attacker can saturate your RAM with massive payloads or exhaust file descriptors via slow-reading connections. If you're running Echo with default settings, you're one 'curl -X POST' away from an OOM kill or a hung process.

The Vulnerable Pattern

package main
import (
“github.com/labstack/echo/v4”
)
func main() {
e := echo.New()
// VULNERABLE: No body limit, no timeouts, no rate limiting
e.POST("/data", func(c echo.Context) error {
	return c.NoContent(200)
})

e.Start(":1323")
}

The Secure Implementation

The hardened configuration implements three critical layers of defense. First, 'middleware.BodyLimit' rejects any request exceeding 2MB before the handler even touches it, protecting the heap. Second, 'middleware.RateLimiter' prevents a single IP from spamming the endpoint and consuming all available worker threads. Finally, by passing a custom 'http.Server' to 'e.StartServer', we define 'ReadTimeout' and 'WriteTimeout'. This is vital to kill 'zombie' connections that stay open without sending data, effectively neutralizing Slowloris-style attacks.

package main
import (
“net/http”
“time”
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
)
func main() {
e := echo.New()
// 1. Enforce Body Size Limit (Prevent OOM)
e.Use(middleware.BodyLimit("2M"))

// 2. Rate Limiting (Prevent CPU/Thread exhaustion)
e.Use(middleware.RateLimiter(middleware.NewRateLimiterMemoryStore(20)))

// 3. Request Timeout Middleware
e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{
	Timeout: 30 * time.Second,
}))

s := &http.Server{
	Addr:         ":1323",
	ReadTimeout:  5 * time.Second,  // Mitigates Slowloris
	WriteTimeout: 10 * time.Second,
	IdleTimeout:  120 * time.Second,
}

e.Logger.Fatal(e.StartServer(s))
}