Closed slowjack2k closed 6 years ago
I think it would be good to add a section about how to remove potentialy dangerous middleware.
Like https://hackernoon.com/the-giving-ruby-the-strange-case-of-user-enumeration-on-heroku-not-fixed-1a8296067318 showed Rack::Runtime lowers the bars for a timming attack. With this middlewar enabled you get the runtime informations directly from the server and don't need to worry about network influences. In my point of view this makes timing attack more likely.
Rack::Runtime
For production it would be good to consider dropping Rack::Runtime via Rails.configuration.middleware.delete Rack::Runtime
Rails.configuration.middleware.delete Rack::Runtime
It's said that the Rails guys did bring it up many times over the years, but it's unlikly they will drop it.
That's an interesting article. I agree we should suggest dropping Rack::Runtime.
Thanks again for your contribution :)
Closing due to inactivity. Feel free to reopen if you want to contribute.
I think it would be good to add a section about how to remove potentialy dangerous middleware.
Like https://hackernoon.com/the-giving-ruby-the-strange-case-of-user-enumeration-on-heroku-not-fixed-1a8296067318 showed
Rack::Runtime
lowers the bars for a timming attack. With this middlewar enabled you get the runtime informations directly from the server and don't need to worry about network influences. In my point of view this makes timing attack more likely.For production it would be good to consider dropping
Rack::Runtime
viaRails.configuration.middleware.delete Rack::Runtime
It's said that the Rails guys did bring it up many times over the years, but it's unlikly they will drop it.