How can I make Sinatra use CSRF Authenticity tokens?

Use the rack_csrf gem. Install it with

gem install rack_csrf

The rack_csrf gem has a Sinatra example. Below is a simpler example adapted from this page (seems offline. Archived version):

require "rack/csrf"

configure do
  use Rack::Session::Cookie, :secret => "some unique secret string here"
  use Rack::Csrf, :raise => true
end

Using enable :sessions instead of use Rack::Session::Cookie ... will also work in most cases (see Bill's comment).

In your view, you can get the token (or the tag) with the Rack::Csrf.csrf_token and Rack::Csrf.csrf_tag methods. If this appears lengthy, you may want to define a helper along the lines of:

helpers do
  def csrf_token
    Rack::Csrf.csrf_token(env)
  end

  def csrf_tag
    Rack::Csrf.csrf_tag(env)
  end
end

Small example using the helper method:

<form method="post" action="/tweet">
  <%= csrf_tag %>
  <input type="text" name="message"/>
  <input type="submit" value="Submit a tweet!"/>
</form>

Tags:

Ruby

Sinatra

Csrf