brunofacca
commented
7 years ago That's an interesting article. I agree we should suggest dropping Rack::Runtime.
Thanks again for your contribution :)
Closed slowjack2k closed 6 years ago
brunofacca
commented
7 years ago That's an interesting article. I agree we should suggest dropping Rack::Runtime.
Thanks again for your contribution :)
brunofacca
commented
6 years ago Closing due to inactivity. Feel free to reopen if you want to contribute.
I think it would be good to add a section about how to remove potentialy dangerous middleware.
Like https://hackernoon.com/the-giving-ruby-the-strange-case-of-user-enumeration-on-heroku-not-fixed-1a8296067318 showed
Rack::Runtimelowers the bars for a timming attack. With this middlewar enabled you get the runtime informations directly from the server and don't need to worry about network influences. In my point of view this makes timing attack more likely.For production it would be good to consider dropping
Rack::RuntimeviaRails.configuration.middleware.delete Rack::RuntimeIt's said that the Rails guys did bring it up many times over the years, but it's unlikly they will drop it.