I thought I’d write about how fanriff.com serves its Ember.js index from its Sinatra.rb API, and how web clients interacts with the back-end once the application is loaded. It started to run a little long so I’ve broken it up into parts. This first chapter will cover some background information on Ember, the fanriff.com web architecture, and how we deploy our Ember index to our stack.
TIL to set X-Forwarded-Proto on requests forwarded from your reverse proxy, otherwise Rack::Session won’t let you set secure cookies. #ruby
— Mike Pastore (@mwpastore) February 15, 2016
If your Rack application (and probably other types of applications) lives behind a reverse proxy, always set an X-Forwarded-Proto request header. I recently ran into an issue where Rack::Session (which I’m using for an OAuth1.0a server-side login flow) wouldn’t let me set a secure cookie because it didn’t think I was serving a secure web site.
I have forwardfor disabled in my HAproxy config because I’m using PROXY protocol to talk to Varnish. Manually adding the X-Forwarded-Proto header to the request fixed the issue, and now I want those three hours of my life back! Hopefully this comes up in someone else’s frantic googling at some point in the future and saves them a similar headache.
There are a tremendous number of things you can do today to make your site more secure, while preserving compatibility with all but the oldest web clients (I’m looking at you, Java 6 and Internet Explorer 6). If you haven’t been keeping up with the state of the art, this includes things like (cue Benny Hill music):