From 04678b7b6e7fece850a91752bb5ba9594ed24f42 Mon Sep 17 00:00:00 2001
From: Cyprian Kowalczyk <cyprian@iRonin.pl>
Date: Thu, 9 Apr 2026 21:05:18 -0400
Subject: [PATCH] feat(server): add 30s connection timeout to prevent
 slow-client thread exhaustion (#198)

Set Handler.timeout = 30. Python's BaseHTTPRequestHandler.setup()
calls self.request.settimeout(timeout), which raises socket.timeout
on idle or slow connections after the configured duration.

This defends against Slowloris-style attacks where a client holds
connections open indefinitely, exhausting threads in ThreadingHTTPServer.
Also recovers threads from crashed clients with hung TCP connections.

Addresses #194.
---
 server.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server.py b/server.py
index 0dde030..2fd1932 100644
--- a/server.py
+++ b/server.py
@@ -15,6 +15,7 @@ from api.routes import handle_get, handle_post
 
 
 class Handler(BaseHTTPRequestHandler):
+    timeout = 30  # seconds — kills idle/incomplete connections to prevent thread exhaustion
     server_version = 'HermesWebUI/0.2'
     def log_message(self, fmt, *args): pass  # suppress default Apache-style log