I'm writing a web app in Go. I have a http.Handler that does some stuff and writes a response.
func (h *MyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// do some stuff
}
So far I don't do anything different between POST and GET requests which is fine in the usual case.
But POSTs have a Request.Body.
What happens to that POST data? Does go buffer it? Is my handler invoked immediately, or does it wait until the POST is fully received?
To provide some context, I am specifically concerned with a slow loris attack.
I know that go has a very low per-connection overhead, but what about POSTing large amounts of data? If I POST 9Mb of data and then spoon-feed 1 byte at a time, how does go deal with that? Did it buffer the 9Mb in memory? If I do 10,000 such requests, that could be 90Gb of buffered POST data. My server won't like that very much.
There is some buffering involved, but the handler is invoked immediately, and it's up to you to read the request.Body.
As far as resource consumption from slow clients and specifically attacks like slowloris, the easiest solution is to set a ReadTimeout on your server.