5.2.1 Ensure timeout values for reading the client header and body are set correctly - client_body_timeout

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The client_header_timeout and client_body_timeout directives define the time the server will wait for the header or body to be sent from the client. If the client does not send the entire header in this predefined timeframe, the server will send back a 408 request timeout error.

Rationale:

Setting the client header and body timeouts help your server mitigate possible denial of service attacks. By timing out a request, the server is able to free up resources that may be waiting for the body or header.

Solution

Find the HTTP or server block of your nginx configuration and add the client_header_timeout and client_body_timeout directives set to the configuration. The below example sets the timeouts to 10 seconds.

client_body_timeout 10;
client_header_timeout 10;

Default Value:

client_header_timeout 60; client_body_timeout 60;

See Also

https://workbench.cisecurity.org/files/4212