Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialJose Balaguer
17,473 PointsSecurity issues?
You said there is info on security issues in the teacher's notes but there isn't ...
3 Answers
Jay McGavren
Treehouse TeacherJose Balaguer I would say "secure enough", at least for a beginner project. If an app was holding sensitive data, I wouldn't recommend entrusting it to text files. But we'll need to build up to that one step at a time.
Also, I forgot that I intended to add some info about escaping HTML (a simple security measure) to the teacher's notes. So the video will be left unmodified after all, and the teacher's notes have been updated.
Jay McGavren
Treehouse TeacherJose Balaguer I was concerned that malicious users would be able to access files in directories other than the pages/
directory by using paths like /../../secret
but it turns out that Sinatra treats that as an invalid URL (even if the punctuation characters are encoded).
I'll have that reference to the teacher's notes removed from the video; it shouldn't be needed after all. Thanks for pointing it out!
Jose Balaguer
17,473 PointsSo, uploading a Sinatra app like this to a production server is "secure"? Thanks!
James Kirkpatrick
25,001 PointsIn "Teacher's Notes", there is a link for the official Sinatra site. Follow that link. Then, in "Configurations" section (9), you will find "Configuring attack protection". Also, in "Configuring attack protection" there is a link for Rack::Protection. Following that link brings you to the "sinatra/rack-protection" page on GitHub (which tells you "This project has been merged upstream to sinatra/sinatra"). Follow the "sinatra/sinatra" GitHub link and click on the "rack-protection" folder to get even more info regarding Rack::Protection.
Happy coding!
Jose Balaguer
17,473 PointsNot so obvious XD. And this basically tells you how to DISABLE protection, or use session based protection. I've found those docs are not very useful at this beginner-medium level, anyway. Thanks for your comment !