Tony Arcieri (@bascule) asked: "@phusion_nl @dakami @tqbf the larger concern is how easily I can DoS it by running wrk on my laptop (same could be said of slowloris)"
In Phusion Passenger's design, all application processes are protected by the web server from Slowloris-like attacks. The buffering ensures that applications only receive a request when they're fully received from clients. It also ensures that applications are relieved from the request/response cycle as soon as they are done with the request, as opposed to when the client is done reading. In my tweet I said "You cannot DoS Passenger with Slowloris-like attacks". The more accurate, longer answer would be: susceptibility to Slowloris-like attacks depends on the web server. On Apache, you need to mitigate it with the proper Apache tools. You'll probably want to increase the number of Apache threads. On Nginx, you should be immune to Slowloris-like attacks thanks to its evented I/O architecture.
[EDIT] Note that the Slowloris protection has got nothing to do with whether the app server supports thread at the application level. Slowloris protection depends purely on the web server's I/O architecture and buffering properties.
[EDIT 2] @eachus made a comment about mod_php and the MPM. Phusion Passenger mimics mod_php's ease of use only, but not its architecture. mod_php runs PHP inside Apache, Phusion Passenger explicitly chose not to do that for security and stability reasons.