HTTP client with no timeout
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
http.Get/Post/PostForm/Head use http.DefaultClient, which has no timeout, and a directly constructed http.Client with no Timeout field has the same problem, so a slow or unresponsive server can hang the calling goroutine indefinitely.
Why it matters
http.Get, http.Post, http.PostForm, and http.Head all use http.DefaultClient under the hood, and that client has no timeout configured: if the remote server accepts the connection but never responds, or responds one byte at a time forever, the call blocks the calling goroutine indefinitely. The same problem exists for any http.Client{} constructed without an explicit Timeout field. In a server handling concurrent requests, enough of these hung calls piling up can exhaust goroutines or connections and take the whole service down, not just the one slow request.
How to fix it
Construct an explicit http.Client with a Timeout set to a value appropriate for the calls it makes (a few seconds for a typical API call, longer for large downloads), and use that client instead of the package-level http.Get/Post/PostForm/Head helpers. For finer control over connect vs. read timeouts, use a context with a deadline on the request instead of, or in addition to, the client-level Timeout.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo