Is it possible within the Rails app (in Rack?) to restrict the maximum permitted duration for https requests and responses? Like a forced timeout.
Long running http post requests can be considered a vulnerability to a DoS attack.
Rails 5.2.3, Ruby 2.6.5
The app is hosted on AWS, in Elastic Beanstalk with an Application Load Balancer (ALB). I thought configuring this within the Rails app (for production) would be cleanest if possible, but otherwise wherever it can be done - ALB, puma etc.
Don't think it's possible in Rails.
Check out https://github.com/sharpstone/rack-timeout. Also can restrict Puma worker_timeout (tho explicitly mentions does not protect against slow requests, but see: https://github.com/puma/puma/issues/1024).
Definitely available as a configuration in ALB!