Will It Vibe logoWill It Vibe?
EXPRESS-014Low severity-4 points

No request timeout configured

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

No server.setTimeout, socket timeout, or timeout middleware was found for an Express app. With no timeout a slow or stalled client can hold a connection open indefinitely (slowloris). Heuristic.

Why it matters

A Node HTTP server with no request or socket timeout will hold a connection open as long as a client keeps it alive, even if the client sends its request one byte at a time. A handful of such connections can exhaust the connection pool and make the service unavailable (a slowloris-style attack). This is a heuristic: a reverse proxy in front may already enforce timeouts.

How to fix it

Set timeouts on the server: server.requestTimeout and server.headersTimeout, or server.setTimeout, sized to your slowest legitimate request. Alternatively add the connect-timeout middleware for per-request deadlines. If a proxy or platform already enforces timeouts, document that so the missing app-level setting is a deliberate choice.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks