removing Rack::Runtime from the default stack.

The runtime header is a potential target for timing attacks since it
returns the amount of time spent on the server (eliminating network
speed).  Total time is also not accurate for streaming responses.

The middleware can be added back via:

```ruby
config.middleware.ues ::Rack::Runtime
```

2 files changed, 1 insertions, 2 deletions

diff --git a/railties/lib/rails/application/bootstrap.rb b/railties/lib/rails/application/bootstrap.rb
index 9baf8aa742..85c282783b 100644
--- a/railties/lib/rails/application/bootstrap.rb
+++ b/railties/lib/rails/application/bootstrap.rb
@@ -63,7 +63,7 @@ INFO
           Rails.cache = ActiveSupport::Cache.lookup_store(config.cache_store)
 
           if Rails.cache.respond_to?(:middleware)
-            config.middleware.insert_before(::Rack::Runtime, Rails.cache.middleware)
+            config.middleware.insert_before(::ActionDispatch::RequestId, Rails.cache.middleware)
           end
         end
       end
diff --git a/railties/lib/rails/application/default_middleware_stack.rb b/railties/lib/rails/application/default_middleware_stack.rb
index 21062f3a53..b2185ca818 100644
--- a/railties/lib/rails/application/default_middleware_stack.rb
+++ b/railties/lib/rails/application/default_middleware_stack.rb
@@ -47,7 +47,6 @@ module Rails
             end
           end
 
-          middleware.use ::Rack::Runtime
           middleware.use ::Rack::MethodOverride unless config.api_only
           middleware.use ::ActionDispatch::RequestId