removing Rack::Runtime from the default stack.

The runtime header is a potential target for timing attacks since it
returns the amount of time spent on the server (eliminating network
speed).  Total time is also not accurate for streaming responses.

The middleware can be added back via:

```ruby
config.middleware.ues ::Rack::Runtime
```

7 files changed, 14 insertions, 16 deletions

diff --git a/guides/source/api_app.md b/guides/source/api_app.md
index feaaff166a..eb762612ee 100644
--- a/guides/source/api_app.md
+++ b/guides/source/api_app.md
@@ -188,7 +188,6 @@ An API application comes with the following middlewares by default:
 - `ActiveSupport::Cache::Strategy::LocalCache::Middleware`
 - `ActionDispatch::RequestId`
 - `Rails::Rack::Logger`
-- `Rack::Runtime`
 - `ActionDispatch::ShowExceptions`
 - `ActionDispatch::DebugExceptions`
 - `ActionDispatch::RemoteIp`
diff --git a/guides/source/command_line.md b/guides/source/command_line.md
index e85f9fc9c6..cbfccce788 100644
--- a/guides/source/command_line.md
+++ b/guides/source/command_line.md
@@ -412,7 +412,7 @@ Ruby version              2.2.2 (x86_64-linux)
 RubyGems version          2.4.6
 Rack version              1.6
 JavaScript Runtime        Node.js (V8)
-Middleware                Rack::Sendfile, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x007ffd131a7c88>, Rack::Runtime, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Reloader, ActionDispatch::Callbacks, ActiveRecord::Migration::CheckPending, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, Rack::Head, Rack::ConditionalGet, Rack::ETag
+Middleware                Rack::Sendfile, ActionDispatch::Static, Rack::Lock, #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x007ffd131a7c88>, Rack::MethodOverride, ActionDispatch::RequestId, Rails::Rack::Logger, ActionDispatch::ShowExceptions, ActionDispatch::DebugExceptions, ActionDispatch::RemoteIp, ActionDispatch::Reloader, ActionDispatch::Callbacks, ActiveRecord::Migration::CheckPending, ActiveRecord::ConnectionAdapters::ConnectionManagement, ActiveRecord::QueryCache, ActionDispatch::Cookies, ActionDispatch::Session::CookieStore, ActionDispatch::Flash, Rack::Head, Rack::ConditionalGet, Rack::ETag
 Application root          /home/foobar/commandsapp
 Environment               development
 Database adapter          sqlite3
diff --git a/guides/source/rails_on_rack.md b/guides/source/rails_on_rack.md
index 0db90fedb3..82aedc3fdf 100644
--- a/guides/source/rails_on_rack.md
+++ b/guides/source/rails_on_rack.md
@@ -106,7 +106,6 @@ use Rack::Sendfile
 use ActionDispatch::Static
 use Rack::Lock
 use #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x000000029a0838>
-use Rack::Runtime
 use Rack::MethodOverride
 use ActionDispatch::RequestId
 use Rails::Rack::Logger
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 3e45a09dec..6822507630 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,6 @@
+*   Removed Rack::Runtime from the default stack.  It can be added back via
+    `config.middleware.use ::Rack::Runtime`.
+
 *   Add fail fast to `bin/rails test`
 
     Adding `--fail-fast` or `-f` when running tests will interrupt the run on
diff --git a/railties/lib/rails/application/bootstrap.rb b/railties/lib/rails/application/bootstrap.rb
index 9baf8aa742..85c282783b 100644
--- a/railties/lib/rails/application/bootstrap.rb
+++ b/railties/lib/rails/application/bootstrap.rb
@@ -63,7 +63,7 @@ INFO
           Rails.cache = ActiveSupport::Cache.lookup_store(config.cache_store)
 
           if Rails.cache.respond_to?(:middleware)
-            config.middleware.insert_before(::Rack::Runtime, Rails.cache.middleware)
+            config.middleware.insert_before(::ActionDispatch::RequestId, Rails.cache.middleware)
           end
         end
       end
diff --git a/railties/lib/rails/application/default_middleware_stack.rb b/railties/lib/rails/application/default_middleware_stack.rb
index 21062f3a53..b2185ca818 100644
--- a/railties/lib/rails/application/default_middleware_stack.rb
+++ b/railties/lib/rails/application/default_middleware_stack.rb
@@ -47,7 +47,6 @@ module Rails
             end
           end
 
-          middleware.use ::Rack::Runtime
           middleware.use ::Rack::MethodOverride unless config.api_only
           middleware.use ::ActionDispatch::RequestId
 
diff --git a/railties/test/application/middleware_test.rb b/railties/test/application/middleware_test.rb
index 138c63266e..490f0ba822 100644
--- a/railties/test/application/middleware_test.rb
+++ b/railties/test/application/middleware_test.rb
@@ -27,9 +27,8 @@ module ApplicationTests
         "Rack::Sendfile",
         "ActionDispatch::Static",
         "ActionDispatch::LoadInterlock",
-        "ActiveSupport::Cache::Strategy::LocalCache",
-        "Rack::Runtime",
         "Rack::MethodOverride",
+        "ActiveSupport::Cache::Strategy::LocalCache",
         "ActionDispatch::RequestId",
         "Rails::Rack::Logger", # must come after Rack::MethodOverride to properly log overridden methods
         "ActionDispatch::ShowExceptions",
@@ -59,7 +58,6 @@ module ApplicationTests
         "ActionDispatch::Static",
         "ActionDispatch::LoadInterlock",
         "ActiveSupport::Cache::Strategy::LocalCache",
-        "Rack::Runtime",
         "ActionDispatch::RequestId",
         "Rails::Rack::Logger", # must come after Rack::MethodOverride to properly log overridden methods
         "ActionDispatch::ShowExceptions",
@@ -168,19 +166,19 @@ module ApplicationTests
     end
 
     test "can delete a middleware from the stack even if insert_before is added after delete" do
-      add_to_config "config.middleware.delete Rack::Runtime"
-      add_to_config "config.middleware.insert_before(Rack::Runtime, Rack::Config)"
+      add_to_config "config.middleware.delete ActionDispatch::ShowExceptions"
+      add_to_config "config.middleware.insert_before(ActionDispatch::ShowExceptions, Rack::Config)"
       boot!
       assert middleware.include?("Rack::Config")
-      assert_not middleware.include?("Rack::Runtime")
+      assert_not middleware.include?("ActionDispatch::ShowExceptions")
     end
 
     test "can delete a middleware from the stack even if insert_after is added after delete" do
-      add_to_config "config.middleware.delete Rack::Runtime"
-      add_to_config "config.middleware.insert_after(Rack::Runtime, Rack::Config)"
+      add_to_config "config.middleware.delete ActionDispatch::ShowExceptions"
+      add_to_config "config.middleware.insert_after(ActionDispatch::ShowExceptions, Rack::Config)"
       boot!
       assert middleware.include?("Rack::Config")
-      assert_not middleware.include?("Rack::Runtime")
+      assert_not middleware.include?("ActionDispatch::ShowExceptions")
     end
 
     test "includes exceptions middlewares even if action_dispatch.show_exceptions is disabled" do
@@ -218,12 +216,12 @@ module ApplicationTests
     test "Rails.cache does not respond to middleware" do
       add_to_config "config.cache_store = :memory_store"
       boot!
-      assert_equal "Rack::Runtime", middleware.fourth
+      assert_equal "Rack::MethodOverride", middleware.fourth
     end
 
     test "Rails.cache does respond to middleware" do
       boot!
-      assert_equal "Rack::Runtime", middleware.fifth
+      assert_equal "ActiveSupport::Cache::Strategy::LocalCache", middleware.fifth
     end
 
     test "insert middleware before" do