sinatra/rack-protection

Implementation doubt

sonoman opened this issue · 2 comments

Hi there:
I have implemented a REST API to be consumed by a html5 application, and i'm using rack::session to track some information about the app. Now, since the html application is servereless, when tries to post some information, rack::protection prevents that operation due to remote_token.
So, I've learnt how to work with csrf tokens, but I don't send any html form to the client app to insert any meta tag (with a helper), just json (it's all mvc on client side)....what should I do in that case ? send the token to the client in a HTTP Header (and have the client send the token again in an http header ? or just disable remote_token protection ?

rkh commented

Yes, you could set it in a header. If you don't use sessions, then disabling just remote_token (via except: :remote_token) should be fine. Also, changing the default reaction to drop_session should work, too. We need to improve the docs on this and actually make it easier to use rack-protection standalone (right now quite some config logic for it is in Sinatra).

Thanks for your advice ;)