Sprinkles

Web Dev Rethought

We observed that server-side web development, most of the time, boils down to a handful of fairly straightforward tasks: parse HTTP requests, dispatch through a routing table, fetch data from a database or other backends, apply a template, serve an HTTP response. All of these are solved problems, and can be implemented in ways that do not involve any programming at all, and that means we can build a web development platform that allows web developers to build websites without having to touch a single line of PHP, Python, Java, or any other server-side programming language.

Familiar Stuff

Sprinkles was designed with web developers in mind. Wherever possible, we chose to make things work in familiar ways, for example:

The server doesn’t care how the front-end is implemented; you can use your favorite front-end toolchain to generate your assets, Sprinkles just serves them. Use bower, npm, browserify, sass, and anything else you want.

Familiar template language: Sprinkles’s template language, Ginger, is very similar to Django or Twig templates, and near identical to Jinja 2. This means that your templates will look like actual HTML, and you won’t need to learn much in order to get going.

Familiar configuration file format: We picked YAML for configuration files, because it’s the most intuitive yet mature of the available options.

Unopinionated choice of content formats: Sprinkles loves Markdown, but you can provide content in all sorts of formats, including:

• Markdown
• Textile
• ReStructuredText
• Plain Text
• HTML
• DOCX
• JSON
• YAML

Quick Setup

To get a Sprinkles site started, all you need to do is:

• Create a templates directory and add some templates.
• Write a project.yml, defining some routes and data sources.
• Run sprinkles in the project directory.

Security By Design

Security is an important consideration in Sprinkles’s design. A few principles we follow:

• By keeping the management part separate from the presentation part, we avoid escalation from the front-end to the back-end. The presentation part alone is a lot easier to keep secure than a tightly coupled presentation + management application.
• Using a statically-typed programming language with a powerful type system allows us to systematically avoid XSS, SQLi, and other forms of cross-encoding / cross-protocol contention.
• Because Sprinkles is compiled into a single binary, and doesn’t execute any user-supplied code at runtime, remote code execution vulnerabilities are very unlikely - even if an attacker were to upload, say, a PHP script into Sprinkles’s data directory, Sprinkles would not execute it, because that’s just not something it was designed to do.