From 37423e4ff883ad5584bab983aceb4b2b759a1fd8 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Fri, 2 Oct 2015 14:45:31 -0700
Subject: removing Rack::Runtime from the default stack.

The runtime header is a potential target for timing attacks since it
returns the amount of time spent on the server (eliminating network
speed).  Total time is also not accurate for streaming responses.

The middleware can be added back via:

```ruby
config.middleware.ues ::Rack::Runtime
```
---
 railties/lib/rails/application/bootstrap.rb                | 2 +-
 railties/lib/rails/application/default_middleware_stack.rb | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

(limited to 'railties/lib/rails')

diff --git a/railties/lib/rails/application/bootstrap.rb b/railties/lib/rails/application/bootstrap.rb
index 9baf8aa742..85c282783b 100644
--- a/railties/lib/rails/application/bootstrap.rb
+++ b/railties/lib/rails/application/bootstrap.rb
@@ -63,7 +63,7 @@ INFO
           Rails.cache = ActiveSupport::Cache.lookup_store(config.cache_store)
 
           if Rails.cache.respond_to?(:middleware)
-            config.middleware.insert_before(::Rack::Runtime, Rails.cache.middleware)
+            config.middleware.insert_before(::ActionDispatch::RequestId, Rails.cache.middleware)
           end
         end
       end
diff --git a/railties/lib/rails/application/default_middleware_stack.rb b/railties/lib/rails/application/default_middleware_stack.rb
index 21062f3a53..b2185ca818 100644
--- a/railties/lib/rails/application/default_middleware_stack.rb
+++ b/railties/lib/rails/application/default_middleware_stack.rb
@@ -47,7 +47,6 @@ module Rails
             end
           end
 
-          middleware.use ::Rack::Runtime
           middleware.use ::Rack::MethodOverride unless config.api_only
           middleware.use ::ActionDispatch::RequestId
 
-- 
cgit v1.2.3