fix: 60s read header timeout on http servers (#358)

Signed-off-by: Chris Gianelloni <[email protected]>

Author: wolf31o2

cmd/cardano-node-api/main.go

@@ -1,4 +1,4 @@
-// Copyright 2023 Blink Labs Software
+// Copyright 2025 Blink Labs Software
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -18,9 +18,11 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
-	_ "net/http/pprof"
 	"os"
+	"time"
 
+	// #nosec G108
+	_ "net/http/pprof"
 	_ "go.uber.org/automaxprocs"
 
 	"github.com/blinklabs-io/cardano-node-api/internal/api"
@@ -66,7 +68,11 @@ func main() {
 		}
 	}
 
-	logger.Info("starting cardano-node-api version", "version", version.GetVersionString())
+	logger.Info(
+		"starting cardano-node-api version",
+		"version",
+		version.GetVersionString(),
+	)
 
 	// Start debug listener
 	if cfg.Debug.ListenPort > 0 {
@@ -76,14 +82,15 @@ func main() {
 			cfg.Debug.ListenPort,
 		))
 		go func() {
-			err := http.ListenAndServe(
-				fmt.Sprintf(
+			debugger := &http.Server{
+				Addr: fmt.Sprintf(
 					"%s:%d",
 					cfg.Debug.ListenAddress,
 					cfg.Debug.ListenPort,
 				),
-				nil,
-			)
+				ReadHeaderTimeout: 60 * time.Second,
+			}
+			err := debugger.ListenAndServe()
 			if err != nil {
 				logger.Error("failed to start debug listener:", "error", err)
 				os.Exit(1)

internal/utxorpc/api.go

@@ -1,4 +1,4 @@
-// Copyright 2024 Blink Labs Software
+// Copyright 2025 Blink Labs Software
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@ package utxorpc
 import (
 	"fmt"
 	"net/http"
+	"time"
 
 	"connectrpc.com/connect"
 	"connectrpc.com/grpchealth"
@@ -104,23 +105,30 @@ func Start(cfg *config.Config) error {
 		),
 	)
 	if cfg.Tls.CertFilePath != "" && cfg.Tls.KeyFilePath != "" {
-		err := http.ListenAndServeTLS(
-			fmt.Sprintf(
+		server := &http.Server{
+			Addr: fmt.Sprintf(
 				"%s:%d",
 				cfg.Utxorpc.ListenAddress,
 				cfg.Utxorpc.ListenPort,
 			),
+			Handler:           mux,
+			ReadHeaderTimeout: 60 * time.Second,
+		}
+		return server.ListenAndServeTLS(
 			cfg.Tls.CertFilePath,
 			cfg.Tls.KeyFilePath,
-			mux,
 		)
-		return err
 	} else {
-		err := http.ListenAndServe(
-			fmt.Sprintf("%s:%d", cfg.Utxorpc.ListenAddress, cfg.Utxorpc.ListenPort),
+		server := &http.Server{
+			Addr: fmt.Sprintf(
+				"%s:%d",
+				cfg.Utxorpc.ListenAddress,
+				cfg.Utxorpc.ListenPort,
+			),
 			// Use h2c so we can serve HTTP/2 without TLS
-			h2c.NewHandler(mux, &http2.Server{}),
-		)
-		return err
+			Handler:           h2c.NewHandler(mux, &http2.Server{}),
+			ReadHeaderTimeout: 60 * time.Second,
+		}
+		return server.ListenAndServe()
 	}
 }