This is actually two related questions, I'll address them one at a time.
According to this SO question it looks like you need to provide an origin whitelist to Sinatra. Essentially what its trying to do is protect you from Cross Site Scripting Attacks which could harm your users. However, there are some cases when you do want to allow cross site scripting to occur. To do so you can do something like this:
set :protection, :origin_whitelist => ['http://web.example.com']
The headers only apply to the user's browser, but Rack needs permission as well. Two lines of defense. For more information, see the documentation for Rack::Protection (which is what Sinatra uses here).
The "secret option" error refers to a setting on Rack::Session. When you use the Rack::Session functionality you can pass it in the secret like this:
use Rack::Session::Cookie, :key => 'rack.session', :domain => 'foo.com', :path => '/', :expire_after => 2592000, :secret => 'change_me'
Do the above instead of the simple
enable :sessions
. You can also find the documentation for Rack::Session here.