Address CVE-2015-9284 for generic Rack apps (eg Sinatra) for Omniauth

config.ru

require 'omniauth/strategies/<your strategy>'
require_relative 'omniauth_authenticity_checker'

OmniAuth.config.allowed_request_methods = [:post]
OmniAuth.config.before_request_phase = OmniauthAuthenticityChecker.new(reaction: :drop_session)


# And if you haven't already, you should be loading in the `Rack::Protection` middleware:

use Rack::Protection, reaction: :drop_session, use: :authenticity_token

# You will also need to make sure your users are POSTing to your authorise route, and not simply 
# linking/redirecting to it. This change would make GETing the authorise route 404 so you may wish to
# handle this by rendering a nicer error message, and/or rendering a form with a button to POST to your
# authorise route.

omniauth_authenticity_checker.rb

require 'rack-protection'

class OmniauthAuthenticityChecker < Rack::Protection::AuthenticityToken
  def initialize(options = {})
    @options = default_options.merge(options)
  end

  def call(env)
    unless accepts? env
      instrument env
      react env
    end
  end

  def deny(env)
    warn env, "attack prevented by #{self.class}"
    raise Net::HTTPForbidden, options[:message]
  end
end

Absolutely! Thanks for pointing me in the right direction.