What are the best practices to secure a Sinatra application?

Question

What are the best practices to secure a Sinatra application that uses many different forms and mongodb as a database?

Answer 1

Forms

If you have forms you should definitely use an authenticity token in order to avoid cross site request forgeries. Check out rack_csrf gem for Sinatra.

Cookies / Sessions

If you have have sessions enabled, since Sinatra implements cookie-based sessions you should check encrypted_cookie gem as a mean to encrypt Sinatra’s sessions using 256-bit AES algorithm.

Last but not least always use HTTPS

Read this blog post for a well-rounded explanation.

Answer 2

Not sure what you are looking for. Here are a few thoughts.

If you want to validate users of your system, I suggest using authentication that operates at the Rack layer, like Warden. Not only is this likely more robust than a custom authentication solution would be, it operates as middleware so its mostly transparent and can be used outside of Sinatra should you decide to add additional middleware, custom Rack applications, or Rails to your Rack stack.

The way mongodb operates, where commands are separated from the data, means injections are unlikely so some minimal sanity checking of user inputs should make the risk of database compromises pretty low. As with any database its good practice to never directly put any data into your database from a user without proper bounds checking and escaping.

Make sure users can't input HTML/JS/CSS that can be seen by other users, otherwise your site will likely be vulnerable to XSS.

When possible clearly define all of the possible inputs a user is allowed to choose from, then make sure the input you receive from users matches EXACTLY one of the possible values you defined. If not either reject the input or pick a sane default value.

Good unit testing and broad test coverage can often help reduce unexpected behavior which can sometimes be used to help prevent security problems. Try that out. Certainly couldn't hurt.

Another good practice which can peripherally benefit security is to not reinvent the wheel. Go with hardened, proven, functioning solutions the rest of the community depends on so you can benefit from the insights of others and reap the rewards when someone else finds and fixes a security flaw in a library you use.

There are many other system, database, and application level concerns you may need to address to ensure your application is secure. The scope of your question is a bit too broad to answer without intimate knowledge of your complete system architecture.