Sinatra has the some protections enabled by default
|
# On by default, unless skipped |
|
use ::Rack::Protection::FrameOptions, options unless except.include? :frame_options |
|
use ::Rack::Protection::HttpOrigin, options unless except.include? :http_origin |
|
use ::Rack::Protection::IPSpoofing, options unless except.include? :ip_spoofing |
|
use ::Rack::Protection::JsonCsrf, options unless except.include? :json_csrf |
|
use ::Rack::Protection::PathTraversal, options unless except.include? :path_traversal |
|
use ::Rack::Protection::RemoteToken, options unless except.include? :remote_token |
|
use ::Rack::Protection::XSSHeader, options unless except.include? :xss_header |
but the reaction is set to drop_session
|
options[:reaction] ||= :drop_session |
which renders many protections useless? If you want them to actually stop the request from reaching your application
|
def call(env) |
|
unless accepts? env |
|
instrument env |
|
result = react env |
|
end |
|
result or app.call(env) |
|
end |
|
def drop_session(env) |
|
return unless session? env |
|
|
|
session(env).clear |
|
|
|
return if ["1", "true"].include?(ENV["RACK_PROTECTION_SILENCE_DROP_SESSION_WARNING"]) |
|
|
|
warn env, "session dropped by #{self.class}" |
|
end |
