We have noticed a design flaw with the newer (4.0+) versions of Phusion Passenger. When an error occurs starting an app (Ruby, Python, etc), it displays a Passenger debug message which lists all system variables, environment variables (!) directories, etc. Is this a design flaw?
You cannot password protect the VirtualHost directive AND run the app at the same time for a public app, nor can you disable, globally, these debug pages. In a production app, they should never display, ever, anywhere on the system, unless the administrator specifics that they should… Why is this default behavior?
A lot of new users store sensitive Rails settings in environment variables (whether by hand, Figaro gem, etc), and this is becoming more of a practice because it is the default in Rails Composer/Rails App Composer, which many users (new and experienced alike) use to start a project.
In a production site, the number of spiders/bots that will capture that page, even if for a half a second, can be in the tens of thousands, and so on.
There needs to be a way to disable Passenger debug webpages from ever displaying, but the only documentation related to debugging or logs relates to their Enterprise edition. Do you have to "pay" or else?