From 118d1e439892b1c72d7524b16d8c8c2110abb6de Mon Sep 17 00:00:00 2001
From: n0ctal <4c866w5fn9@privaterelay.appleid.com>
Date: Sat, 20 Jun 2026 03:39:17 +0500
Subject: [PATCH] fix(sub): set read/write/idle timeouts on the subscription
 server (#5360)

The public subscription http.Server set no timeouts, leaving the most exposed
listener open to slow-header/Slowloris exhaustion. Mirror the panel server
timeouts already used in internal/web/web.go.
---
 internal/sub/sub.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/internal/sub/sub.go b/internal/sub/sub.go
index 160693d8f..d2d08cb42 100644
--- a/internal/sub/sub.go
+++ b/internal/sub/sub.go
@@ -297,6 +297,13 @@ func (s *Server) Start() (err error) {
 
 	s.httpServer = &http.Server{
 		Handler: engine,
+		// The subscription server is the most exposed (public) listener; without
+		// these a few slow-header connections exhaust it (Slowloris). Mirrors the
+		// panel server timeouts in internal/web/web.go.
+		ReadHeaderTimeout: 5 * time.Second,
+		ReadTimeout:       30 * time.Second,
+		WriteTimeout:      30 * time.Second,
+		IdleTimeout:       120 * time.Second,
 	}
 
 	go func() {