Browse files

add humans.txt

  • Loading branch information...
1 parent fc5c41e commit ceb1dcc3dbd4f3e5d42f46bb5746c87c1fcf47ff @paulca paulca committed May 8, 2012
Showing with 9 additions and 0 deletions.
  1. +9 โˆ’0 railties/lib/rails/generators/rails/app/templates/public/
@@ -0,0 +1,9 @@
+# See more about this file at:
+# For format suggestions, see:
+/* TEAM */
+ <%= ENV['USER'].titlecase %>
+/* APP */
+ Name: <%= app_const_base %>
+ Date Created: <%="%B %d, %Y") %>
+ Software: Ruby on Rails

8 comments on commit ceb1dcc

nertzy commented on ceb1dcc May 11, 2012

I appreciate the spirit, although I worry that this can be used to detect Ruby on Rails applications in order to exploit security holes quickly.

The date created might give a good proxy for what version the site is running if it hasn't been upgraded yet. The app_const_base can tell you information about how the code is structured if you are able to figure out some hole to eval code on the server side. And using the ENV['USER'] could give hints as to what usernames are good to guess for admin accounts.

fxn commented on ceb1dcc May 12, 2012

/cc grandpa @NZKoz


I'm ๐Ÿ‘Ž on this for the reasons outlined by @nertzy.


@nertzy @oscardelben

I know more proven ways to detect ROR usage. So let's rename jQuery.rails to jQuery.php?


Kinda ๐Ÿ‘Ž because of ENV[USER] and Date Created. Is there any way we can just add an empty/sample humans.txt (same as with robots.txt)?..

jnx commented on ceb1dcc May 14, 2012

There's both good and bad things about this, although I like this one.


@kossnocorp i'm not particularly worried about detecting rails itself, there's nothing to hide there. II don'y like the date and user attributes personally. This is how default credits look in XCode projects:

    Some people

Human Interface Design:
    Some other people

    Hopefully not nobody


With special thanks to:

They're vague and it's a good thing.

henrik commented on ceb1dcc Jun 1, 2012

I like that there is a default file to encourage use and so that requests for it (by e.g. browser extensions) don't 404.

But I agree that exposing the username is a bad thing, if the user isn't fully aware that this is happening. It reminds me of when the IRC client Colloquy included the full user name in your public info, but only had that info in the folded-up advanced settings.

Not sure app name or date are things to expose without making it clear, either.

To play the devil's advocate, I suppose seeing this file in the public directory should alert you that it will be exposed, but I would prefer a higher level of privacy as the default.

Please sign in to comment.