5

I've created a little Sinatra app and use Puma to run it. I've deployed my app to Heroku and everything works fine, but if I follow an external link to my app, I get the response Forbidden. Where does this come from?

The app only defines one HTTP method:

require 'sinatra'

get '/' do
  headers 'Content-Type' => 'application/json'
  body 'Hello World'
end

For example following https://contactsampleprovider.herokuapp.com/ will result in Forbidden, but entering the URL manually in the browser works fine.

If I leave out the headers-call, everything works as expected.

Malte Schmitz
  • 51
  • 1
  • 4

1 Answers1

0

This is a feature of Rack protection that seems to be enabled automatically if you set the content type to JSON. It can be disabled by

set :protection, :except => [:json_csrf]

as described for example in this question on Sinatra and Rack protection.

Community
  • 1
  • 1
Malte Schmitz
  • 51
  • 1
  • 4