Ruby Building Web Apps with Sinatra Finishing Touches Summary

Jose Balaguer
Jose Balaguer
17,473 Points

Security issues?

You said there is info on security issues in the teacher's notes but there isn't ...

3 Answers

Jay McGavren
STAFF
Jay McGavren
Treehouse Teacher

Jose Balaguer I would say "secure enough", at least for a beginner project. If an app was holding sensitive data, I wouldn't recommend entrusting it to text files. But we'll need to build up to that one step at a time.

Also, I forgot that I intended to add some info about escaping HTML (a simple security measure) to the teacher's notes. So the video will be left unmodified after all, and the teacher's notes have been updated.

Jay McGavren
STAFF
Jay McGavren
Treehouse Teacher

Jose Balaguer I was concerned that malicious users would be able to access files in directories other than the pages/ directory by using paths like /../../secret but it turns out that Sinatra treats that as an invalid URL (even if the punctuation characters are encoded).

I'll have that reference to the teacher's notes removed from the video; it shouldn't be needed after all. Thanks for pointing it out!

Jose Balaguer
Jose Balaguer
17,473 Points

So, uploading a Sinatra app like this to a production server is "secure"? Thanks!

In "Teacher's Notes", there is a link for the official Sinatra site. Follow that link. Then, in "Configurations" section (9), you will find "Configuring attack protection". Also, in "Configuring attack protection" there is a link for Rack::Protection. Following that link brings you to the "sinatra/rack-protection" page on GitHub (which tells you "This project has been merged upstream to sinatra/sinatra"). Follow the "sinatra/sinatra" GitHub link and click on the "rack-protection" folder to get even more info regarding Rack::Protection.

Happy coding!

Jose Balaguer
Jose Balaguer
17,473 Points

Not so obvious XD. And this basically tells you how to DISABLE protection, or use session based protection. I've found those docs are not very useful at this beginner-medium level, anyway. Thanks for your comment !