Suggestion - remove middleware auto-plugging #667
Comments
|
Just noticed #459 related. |
|
Originally posted by @robotfelix in #459 (comment) Resolves this issue. Closing the issue and casting my vote to remove auto loading the middleware in a future version after some notice to existing users. The placement of firewall/attack blocking middleware is critical to good security so it should not be simply added at the end to save developers from one line of code. (2c) Thank you to all maintainers and contributors here, this is a great gem. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there a way to give the user control over where the middleware gets plugged. For example, in an Apartment based application, we would want to detect malicious subdomain attacks, e.g. "xxx.myapp.com, yyy.myapp.com..."
In the current state, Rack::Attack middleware is loaded way after Apartment::Elevators::Subdomain so Apartment tenant switching throws an exception on an invalid subdomain request before Rack::Attack is allowed to block the request.
Inserting Rack::Attack middleware before Apartment::Elevators::Subdomain works, but causes Rack::Attack to be called twice in the middleware stack (a bit sloppy and wasteful).
Auto plugging was added a while back for convenience of configuration, but it seems we would benefit from having more flexibility with how it is called especially considering that it would be best to block malicious actors earlier in the stack rather than later. Thanks for your consideration.
The text was updated successfully, but these errors were encountered: