Sinatra is dangerously lightweight. By default, it lacks any mechanism to throttle incoming requests, making it a prime target for resource exhaustion and DoS attacks. Without a rate-limiting layer, an attacker can flood expensive endpoints, spike CPU/Memory usage, and lock your database. To fix this, we drop down to the Rack layer.

The Vulnerable Pattern

require 'sinatra'
VULNERABLE: No protection against automated flooding
post ‘/api/v1/heavy-resource’ do
Imagine an expensive DB query or image processing here
result = perform_expensive_calculation(params[:id])
{ status: ‘success’, data: result }.to_json
end

The Secure Implementation

The fix involves integrating the 'rack-attack' middleware. It intercepts requests before they hit the Sinatra routing engine. We define a throttle named 'limit_heavy_api' that tracks the requester's IP. If a single IP exceeds 5 requests within a 2-second window, the middleware short-circuits the request and returns a HTTP 429 (Too Many Requests). This prevents the application logic from ever executing the 'perform_expensive_calculation' method, preserving system resources and mitigating DoS attempts.

require 'sinatra'
require 'rack/attack'
Use Rack::Attack middleware to handle throttling
use Rack::Attack
Define a throttle: 5 requests per 2 seconds per IP
Rack::Attack.throttle(‘limit_heavy_api’, limit: 5, period: 2) do |req|
req.ip if req.path == ‘/api/v1/heavy-resource’ && req.post?
end
Custom response for throttled requests
Rack::Attack.throttled_response = lambda do |env|
[429, { ‘Content-Type’ => ‘application/json’ }, [{ error: ‘Rate limit exceeded. Slow down.’ }.to_json]]
end
post ‘/api/v1/heavy-resource’ do
result = perform_expensive_calculation(params[:id])
{ status: ‘success’, data: result }.to_json
end