fix(config): remove dead read_header_timeout setting (fasthttp has no such field)

fasthttp uses a single ReadTimeout covering the full read phase (headers +
body). The separate read_header_timeout config field was parsed and defaulted
but never applied to the server — dead code since the fasthttp migration.

- Remove struct field, default, and env override from config.go
- Remove assertion from config_test.go
- Remove from both config.toml.example files
- Update README.md, USER_GUIDE.md, docs/index.html: remove setting from
  config tables and env vars tables, note ReadTimeout provides Slowloris
  protection

Author: jkyberneees

README.md

@@ -211,7 +211,7 @@ Only `GET`, `HEAD`, and `OPTIONS` are accepted. All other methods (including `TR
 
 | Mitigation | Value |
 |------------|-------|
-| `ReadTimeout` | 10 s |
+| `ReadTimeout` | 10 s (covers full read phase including headers — Slowloris protection) |
 | `WriteTimeout` | 10 s |
 | `IdleTimeout` | 75 s (keep-alive) |
 | `MaxRequestBodySize` | 0 (no body accepted — static server) |
@@ -231,8 +231,7 @@ Copy `config.toml.example` to `config.toml` and edit as needed. The server start
 | `redirect_host` | string | — | Canonical host used for HTTP→HTTPS redirects |
 | `tls_cert` | string | — | Path to TLS certificate (PEM) |
 | `tls_key` | string | — | Path to TLS private key (PEM) |
-| `read_header_timeout` | duration | `5s` | Slowloris protection |
-| `read_timeout` | duration | `10s` | Full request read deadline |
+| `read_timeout` | duration | `10s` | Full request read deadline (covers headers; Slowloris protection) |
 | `write_timeout` | duration | `10s` | Response write deadline |
 | `idle_timeout` | duration | `75s` | Keep-alive idle timeout |
 | `shutdown_timeout` | duration | `15s` | Graceful drain window |
@@ -299,7 +298,6 @@ All environment variables override the corresponding TOML setting. Useful for co
 | `STATIC_SERVER_REDIRECT_HOST` | `server.redirect_host` |
 | `STATIC_SERVER_TLS_CERT` | `server.tls_cert` |
 | `STATIC_SERVER_TLS_KEY` | `server.tls_key` |
-| `STATIC_SERVER_READ_HEADER_TIMEOUT` | `server.read_header_timeout` |
 | `STATIC_SERVER_READ_TIMEOUT` | `server.read_timeout` |
 | `STATIC_SERVER_WRITE_TIMEOUT` | `server.write_timeout` |
 | `STATIC_SERVER_IDLE_TIMEOUT` | `server.idle_timeout` |

USER_GUIDE.md

@@ -113,8 +113,7 @@ tls_addr         = ":8443"       # HTTPS listen address (requires tls_cert + tls
 redirect_host    = ""            # canonical host for HTTP→HTTPS redirects (recommended in production)
 tls_cert         = ""            # path to PEM certificate file
 tls_key          = ""            # path to PEM private key file
-read_header_timeout = "5s"       # Slowloris protection
-read_timeout        = "10s"
+read_timeout        = "10s"      # full read deadline (covers headers; Slowloris protection)
 write_timeout       = "10s"
 idle_timeout        = "75s"
 shutdown_timeout    = "15s"      # graceful drain window on SIGTERM/SIGINT
@@ -165,7 +164,6 @@ Every config field can also be set via an environment variable, which takes prec
 | `STATIC_SERVER_REDIRECT_HOST`       | `server.redirect_host`                           |
 | `STATIC_SERVER_TLS_CERT`            | `server.tls_cert`                                |
 | `STATIC_SERVER_TLS_KEY`             | `server.tls_key`                                 |
-| `STATIC_SERVER_READ_HEADER_TIMEOUT` | `server.read_header_timeout`                     |
 | `STATIC_SERVER_READ_TIMEOUT`        | `server.read_timeout`                            |
 | `STATIC_SERVER_WRITE_TIMEOUT`       | `server.write_timeout`                           |
 | `STATIC_SERVER_IDLE_TIMEOUT`        | `server.idle_timeout`                            |

cmd/static-web/config.toml.example

@@ -13,11 +13,9 @@ tls_cert = ""
 # Path to TLS private key file (PEM). Leave empty to disable HTTPS.
 tls_key = ""
 
-# Maximum time to read request headers from the client.
-# Protects against Slowloris DoS attacks. Default 5s.
-read_header_timeout = "5s"
-
 # Maximum time to read an HTTP request from the client (headers + body).
+# With fasthttp, this single timeout covers the full read phase including
+# headers, providing Slowloris protection. Default 10s.
 read_timeout = "10s"
 
 # Maximum time to write an HTTP response to the client.

config.toml.example

@@ -18,11 +18,9 @@ tls_cert = ""
 # Path to TLS private key file (PEM). Leave empty to disable HTTPS.
 tls_key = ""
 
-# Maximum time to read request headers from the client.
-# Protects against Slowloris DoS attacks. Default 5s.
-read_header_timeout = "5s"
-
 # Maximum time to read an HTTP request from the client (headers + body).
+# With fasthttp, this single timeout covers the full read phase including
+# headers, providing Slowloris protection. Default 10s.
 read_timeout = "10s"
 
 # Maximum time to write an HTTP response to the client.

docs/index.html

@@ -751,15 +751,10 @@ <h2 class="section-title" id="configuration-heading">Configuration Reference</h2
                         <td>—</td>
                         <td>Path to TLS private key (PEM)</td>
                       </tr>
-                      <tr>
-                        <td><code>read_header_timeout</code></td>
-                        <td><code>5s</code></td>
-                        <td>Slowloris protection</td>
-                      </tr>
                       <tr>
                         <td><code>read_timeout</code></td>
                         <td><code>10s</code></td>
-                        <td>Full request read deadline</td>
+                        <td>Full request read deadline (Slowloris protection)</td>
                       </tr>
                       <tr>
                         <td><code>write_timeout</code></td>

internal/config/config.go

@@ -35,10 +35,9 @@ type ServerConfig struct {
 	TLSCert string `toml:"tls_cert"`
 	// TLSKey is the path to the TLS private key file.
 	TLSKey string `toml:"tls_key"`
-	// ReadHeaderTimeout is the maximum duration for reading request headers.
-	// Protects against slow-loris attacks. Default: 5s.
-	ReadHeaderTimeout time.Duration `toml:"read_header_timeout"`
 	// ReadTimeout is the maximum duration for reading the entire request (headers + body).
+	// With fasthttp, this single timeout covers the full read phase (there is no
+	// separate ReadHeaderTimeout). Default: 10s.
 	ReadTimeout time.Duration `toml:"read_timeout"`
 	// WriteTimeout is the maximum duration for writing a response.
 	WriteTimeout time.Duration `toml:"write_timeout"`
@@ -146,7 +145,6 @@ func Load(path string) (*Config, error) {
 func applyDefaults(cfg *Config) {
 	cfg.Server.Addr = ":8080"
 	cfg.Server.TLSAddr = ":8443"
-	cfg.Server.ReadHeaderTimeout = 5 * time.Second
 	cfg.Server.ReadTimeout = 10 * time.Second
 	cfg.Server.WriteTimeout = 10 * time.Second
 	cfg.Server.IdleTimeout = 75 * time.Second
@@ -199,11 +197,6 @@ func applyEnvOverrides(cfg *Config) {
 			cfg.Server.ReadTimeout = d
 		}
 	}
-	if v := os.Getenv("STATIC_SERVER_READ_HEADER_TIMEOUT"); v != "" {
-		if d, err := time.ParseDuration(v); err == nil {
-			cfg.Server.ReadHeaderTimeout = d
-		}
-	}
 	if v := os.Getenv("STATIC_SERVER_WRITE_TIMEOUT"); v != "" {
 		if d, err := time.ParseDuration(v); err == nil {
 			cfg.Server.WriteTimeout = d

internal/config/config_test.go

@@ -18,9 +18,6 @@ func TestLoadDefaults(t *testing.T) {
 	if cfg.Server.Addr != ":8080" {
 		t.Errorf("Server.Addr = %q, want %q", cfg.Server.Addr, ":8080")
 	}
-	if cfg.Server.ReadHeaderTimeout != 5*time.Second {
-		t.Errorf("Server.ReadHeaderTimeout = %v, want 5s", cfg.Server.ReadHeaderTimeout)
-	}
 	if cfg.Server.RedirectHost != "" {
 		t.Errorf("Server.RedirectHost = %q, want empty string", cfg.Server.RedirectHost)
 	}