Configuring attack protection

Sinatra is using Rack::Protection to defend your application against common, opportunistic attacks.

  1. You can easily disable this behavior (which will open up your application to tons of common vulnerabilities):

    disable :protection

  2. To skip a single defense layer, set protection to an options hash:

    set :protection, :except => :path_traversal
    
  3. You can also hand in an array in order to disable a list of protections:

    set :protection, :except => [:path_traversal, :session_hijacking]
    
  4. By default, Sinatra will only set up session based protection if :sessions has been enabled.

    Sometimes you want to set up sessions on your own, though.

    In that case you can get it to set up session based protections by passing the :session option:

    use Rack::Session::Pool
    set :protection, :session => true
    

Casiano Rodriguez León 2015-01-07