Feature Request: Block everything your routes.rb doesn't specify! #606
Description
I'm a long-time user of rack-attack, but I realized that there could be a better way of handling things here, instead of chasing bad requests and malicious IPs trying to attack PHP endpoints and such.
Rails has moved from allowing all parameters to allowing only those specified with Strong Params. Why shouldn't Rack::Attack be the same?
Is there a possibility of leveraging Rails' routes files to generate a whitelist of acceptable routes as a starting point? Even if that's a rake task that runs in the Rails environment that outputs a set of code that can be copy/pasted into an initializer, it would be really great to say "here are my routes, I don't want to allow anything else." Or, even better, a task that spits out a file in /lib that contains the configuration that you could require from your initializer. It could even be an optimized task on rake assets:precompile so it's always up-to-date.
You could then add any overrides to your initializer manually, like specifying asset paths, static files, or engines mounted inside the app that should also be allowed.
Just thought I'd throw that out there.