Menu
I have a web app, lets say http://web.example.com making a POST request to http://api.example.com. The api server is running the latest version of Sinatra with rack protection enabled. I am getting this error 'attack prevented by Rack::Protection::HttpOrigin'.
I can do something like this:
set :protection, :except => [:http_origin]
but I feel like I am just ignoring the actual problem.
I have tried to do this:
use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://web.example.com']
but I still get the warning.
The request does not get rejected, but Sinatra clears my session see this post and I need the session_id.
Any help or examples on how to specify the option_whitelist for the HttpOrigin class would be greatly appreciated.
766
Pass your options as a hash to set :protection:
set :protection, :origin_whitelist => ['http://web.example.com']
Sinatra will then pass them through to Rack::Protection when setting it up.
I suspect the reason it is failing when you have use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://web.example.com'] is that you still have protection enabled, so that you end up with two instances of HttpOrigin. You could try
set :protection, :except => [:http_origin]
use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://web.example.com']
(i.e. have both the lines you’ve tried together), but I think the first solution is cleaner.
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
