go-server-timing icon indicating copy to clipboard operation
go-server-timing copied to clipboard
verified publisher icon mitchellh

Be less precise about timings

Open mitar opened this issue 3 years ago • 1 comments

Currently durations are rendered as:

strconv.FormatFloat(float64(m.Duration)/float64(time.Millisecond), 'f', -1, 64)

I think this is over precise: all digits beyond millisecond? That could even be a security issue as somebody could do timing attacks determining how long some operation is taking (e.g., password checking). I think there is really no point in sending more than 1 extra digit after milliseconds. I mean, how precise those measurements are anyway, no? They are not an average of multiple measurements.

So I suggest:

strconv.FormatFloat(float64(m.Duration)/float64(time.Millisecond), 'f', 1, 64)

I could be convinced to increase 1, but not to have it unbounded.

mitar avatar Feb 24 '22 10:02 mitar

I made #25.

mitar avatar Feb 24 '22 10:02 mitar