Sinatra and SSL
I recently rolled out SSL support on Gaug.es. Gaug.es is a fairly simple Sinatra application. Most of the app requires authentication, but there are a few public URLs that are unauthenticated.
There two essential steps in securing an app which requires user authentication and then gives them unlimited access to their data:
- Only set and use session cookies over secure connections
- Mark all cookies as Secure so the browser doesn’t transmit them when requesting a non-secure URL
I evaluated a couple options, but quickly settled on Josh Peek’s simple rack-ssl gem.
Rack::SSL is a middleware that just redirects
http:// requests to
https:// and marks any cookies set by your app as secure.
I wanted to create a clear separation between the parts of Gaug.es that require authentication and those that don’t to avoid accidentally leaking cookies (yeah, that’s a technical term), so I moved all the non-authenticated routes to a separate Sinatra application and insert it into the main app. Here’s essentially what I ended up with: