I have a web app, lets say http://web.example.com making a POST request to http://api.example.com. The api server is running the latest version of Sinatra with rack protection enabled. I am getting this error 'attack prevented by Rack::Protection::HttpOrigin'.

I can do something like this:

set :protection, :except => [:http_origin]

but I feel like I am just ignoring the actual problem.

I have tried to do this:

use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://web.example.com']

but I still get the warning.

The request does not get rejected, but Sinatra clears my session see this post and I need the session_id.

Any help or examples on how to specify the option_whitelist for the HttpOrigin class would be greatly appreciated.

Pass your options as a hash to set :protection:

set :protection, :origin_whitelist => ['http://web.example.com']

Sinatra will then pass them through to Rack::Protection when setting it up.

I suspect the reason it is failing when you have use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://web.example.com'] is that you still have protection enabled, so that you end up with two instances of HttpOrigin. You could try

set :protection, :except => [:http_origin]
use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://web.example.com']

(i.e. have both the lines you’ve tried together), but I think the first solution is cleaner.