Skip to main content

Security timeout


Requests that take a long time to process can be used by attackers to create Denial-of-Service (DoS) situations.

This security test is based on an arbitrary timeout threshold that might not match your application's requirements. To learn how to change it, head over to the configuration section below.

Example: Querying getAllUsers(){ contacts { contacts }} returns a response after 15s.


Implement a server timeout. For example, a server configured with a 5 seconds timeout would stop the execution of any query that takes over 5 seconds.


  • Simple to implement.
  • Most security strategies use a timeout as a final layer of protection.


  • Damage can already have been done before the timeout kicks in.
  • Can trigger other issues. Stoping connection after a certain time may result in strange behaviors and corrupt data.

Warning : When a timeout is configured on the server, the socket may be closed while the underlying request continues. Make sure that the request is actually canceled.

GraphQL Specific


AWS AppSync enforces a timeout of 30s on each request by default.

If your API sits behind an API Gateway, you can configure a different (but lower than the hard 30s limit) timeout in the AWS API Gateway console by following this path:

AWS API Gateway console > {Your App} > Resources > Integration Request > "Use default timeout".


Hasura allows you to set a custom query timeout.

To do so:

  • Go to Project Console > Security Settings > API Limits.
  • Click on "Global".
  • Set a timeout (e.g., 10s).

There is no known remediation for StepZen.


Implement a server timeout by following this guide:

The complete guide to Go net/http timeouts - Cloudfare blog


Identifier: resource_limitation/timeout


  • threshold_low : Duration of a request (in seconds) before raising a low level alert
    • threshold_medium : Duration of a request (in seconds) before raising a low level alert
    • threshold_high : Duration of a request (in seconds) before raising a low level alert


Ignore this check

"checks": {
"resource_limitation/timeout": {
"skip": true


  • Escape Severity: HIGH
    • OWASP: API7:2023
    • PCI DSS: 6.5.8
    • CWE
      • 400
      • 557
      • 664
      • 770
      • 1060
      • 1088
      • 1226
    • WASC: WASC-10


  • CVSS_SCORE: 7.2