# Issue #282: Add HTTP request timeouts (DoS risk) ## Objective Add 10-second timeout to all HTTP requests to prevent DoS attacks via slowloris and resource exhaustion. ## Security Impact - DoS via slowloris attack (attacker sends data very slowly) - Resource exhaustion from hung connections - API becomes unresponsive - P0 security vulnerability ## Current Status ✅ HttpModule is already configured with 10-second timeout in federation.module.ts:29 - All HTTP requests via HttpService automatically use this timeout - No code changes needed in command.service.ts, query.service.ts, or event.service.ts ## Implementation Plan - [x] Review federation.module.ts timeout configuration - [x] Add test for HTTP timeout enforcement - [x] Add test for timeout configuration - [x] Verify query.service.ts uses timeout (via HttpModule) - [x] Verify event.service.ts uses timeout (via HttpModule) - [x] Verify command.service.ts uses timeout (via HttpModule) - [x] Run quality gates (lint, typecheck, build, tests) ## Testing - Test HTTP timeout is configured correctly ✅ - Test all federation services use HttpService (which has timeout) ✅ - Maintain 85%+ coverage ✅ ## Results - Timeout already configured via HttpModule.register({ timeout: 10000, maxRedirects: 5 }) - All federation services (command, query, event, connection) use HttpService - Added http-timeout.spec.ts to verify timeout configuration - All 4 new tests pass - Verified all federation HTTP requests go through configured HttpService ## Code Review ### federation.module.ts (lines 28-31): ```typescript HttpModule.register({ timeout: 10000, // 10-second timeout prevents DoS maxRedirects: 5, }), ``` ### Services using HttpService: 1. command.service.ts:100 - `await firstValueFrom(this.httpService.post(remoteUrl, signedCommand))` 2. query.service.ts:100 - `await firstValueFrom(this.httpService.post(remoteUrl, signedQuery))` 3. event.service.ts:185 - `await firstValueFrom(this.httpService.post(remoteUrl, signedEvent))` 4. connection.service.ts:76 - `await firstValueFrom(this.httpService.post(remoteUrl, requestPayload))` 5. connection.service.ts:341 - `await firstValueFrom(this.httpService.get(identityUrl))` 6. federation-agent.service.ts - All orchestrator calls use httpService All HTTP requests are protected by the 10-second timeout. ## Notes - Timeout already configured via HttpModule.register({ timeout: 10000 }) - This is a verification issue - timeout was already in place - Added explicit tests to verify timeout works - No security vulnerability exists - this was a false alarm - COMPLETED ✅