diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index 2b61387830..42ea2342bd 100644
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -1367,13 +1367,6 @@ Rails/HasManyOrHasOneDependent:
     - 'app/models/user.rb'
     - 'app/models/web/push_subscription.rb'
 
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: Include.
-# Include: spec/**/*, test/**/*
-Rails/HttpPositionalArguments:
-  Exclude:
-    - 'spec/config/initializers/rack_attack_spec.rb'
-
 # Configuration parameters: Include.
 # Include: spec/**/*.rb, test/**/*.rb
 Rails/I18nLocaleAssignment:
diff --git a/spec/config/initializers/rack_attack_spec.rb b/spec/config/initializers/rack_attack_spec.rb
index cc931b21b3..0411a48d2a 100644
--- a/spec/config/initializers/rack_attack_spec.rb
+++ b/spec/config/initializers/rack_attack_spec.rb
@@ -2,9 +2,7 @@
 
 require 'rails_helper'
 
-describe Rack::Attack do
-  include Rack::Test::Methods
-
+describe Rack::Attack, type: :request do
   def app
     Rails.application
   end
@@ -25,7 +23,7 @@ describe Rack::Attack do
       it 'does not change the request status' do
         limit.times do
           request.call
-          expect(last_response.status).to_not eq(429)
+          expect(response).to_not have_http_status(429)
         end
       end
     end
@@ -34,13 +32,13 @@ describe Rack::Attack do
       it 'returns http too many requests after limit and returns to normal status after period' do
         (limit * 2).times do |i|
           request.call
-          expect(last_response.status).to eq(429) if i > limit
+          expect(response).to have_http_status(429) if i > limit
         end
 
         travel period
 
         request.call
-        expect(last_response.status).to_not eq(429)
+        expect(response).to_not have_http_status(429)
       end
     end
   end
@@ -51,7 +49,7 @@ describe Rack::Attack do
     context 'through the website' do
       let(:limit)  { 25 }
       let(:period) { 5.minutes }
-      let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
+      let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
 
       context 'for exact path' do
         let(:path) { '/auth' }
@@ -69,7 +67,7 @@ describe Rack::Attack do
     context 'through the API' do
       let(:limit)  { 5 }
       let(:period) { 30.minutes }
-      let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
+      let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
 
       context 'for exact path' do
         let(:path) { '/api/v1/accounts' }
@@ -82,7 +80,7 @@ describe Rack::Attack do
 
         it 'returns http not found' do
           request.call
-          expect(last_response.status).to eq(404)
+          expect(response).to have_http_status(404)
         end
       end
     end
@@ -91,7 +89,7 @@ describe Rack::Attack do
   describe 'throttle excessive sign-in requests by IP address' do
     let(:limit)  { 25 }
     let(:period) { 5.minutes }
-    let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
+    let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
 
     context 'for exact path' do
       let(:path) { '/auth/sign_in' }