Sinatra and Rack Protection setting

后端未结

关注

 5  598

[愿得一人] 2020-12-16 14:16

I am using Sinatra and CORS to accept a file upload on domain A (hefty.burger.com). Domain B (fizzbuzz.com) has a form that uploads a file to a route on A.

I have a

5条回答

生来不讨喜 (楼主)

2020-12-16 14:39
If you see this issue, you are not using CORS (Cross-origin resource sharing), and are behind a reverse-proxy (such as nginx or apache), make sure that your reverse-proxy isn't stripping out host header and replacing it with localhost.

For example, in nginx you need to use proxy_set_header:
```
location / {
    proxy_pass http://localhost:9296;
    proxy_set_header Host $host;
}
```
When the header is stripped out from a request, Rack::Protection believes it to be a CSRF attack.
0 讨论(0)

查看其它5个回答
发布评论:

提交评论
- 加载中...