fix: replace http.DefaultServeMux fallback handlers with safe defaults

Yanhu007 · Yanhu007 · commit 0284a5bcf92b · 2026-04-13T08:38:01.000+08:00
The HTTP server uses http.DefaultServeMux as the fallback handler for unmatched routes and disallowed methods. Since DefaultServeMux is a global shared instance that may have handlers registered by init() functions (e.g. net/http/pprof), this can unintentionally expose debug endpoints like /debug/pprof/ to the network. Replace with: - http.NotFoundHandler() for NotFoundHandler (returns 404) - A simple 405 handler for MethodNotAllowedHandler Users who need the previous behavior can still explicitly set http.DefaultServeMux using the existing NotFoundHandler() and MethodNotAllowedHandler() server options. Fixes go-kratos#3810
diff --git a/transport/http/server.go b/transport/http/server.go
@@ -189,8 +189,10 @@ func NewServer(opts ...ServerOption) *Server {
 		strictSlash: true,
 		router:      mux.NewRouter(),
 	}
-	srv.router.NotFoundHandler = http.DefaultServeMux
-	srv.router.MethodNotAllowedHandler = http.DefaultServeMux
+	srv.router.NotFoundHandler = http.NotFoundHandler()
+	srv.router.MethodNotAllowedHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+	})
 	for _, o := range opts {
 		o(srv)
 	}

Original file line number	Diff line number	Diff line change
`@@ -189,8 +189,10 @@ func NewServer(opts ...ServerOption) *Server {`
`189`	`189`	`strictSlash: true,`
`190`	`190`	`router: mux.NewRouter(),`
`191`	`191`	`}`
`192`		`- srv.router.NotFoundHandler = http.DefaultServeMux`
`193`		`- srv.router.MethodNotAllowedHandler = http.DefaultServeMux`
	`192`	`+ srv.router.NotFoundHandler = http.NotFoundHandler()`
	`193`	`+ srv.router.MethodNotAllowedHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
	`194`	`+ w.WriteHeader(http.StatusMethodNotAllowed)`
	`195`	`+ })`
`194`	`196`	`for _, o := range opts {`
`195`	`197`	`o(srv)`
`196`	`198`	`}`