Railscasts - Filtering Sensitive Logs

#9

Mar 23, 2007

Filtering Sensitive Logs

Are you accepting sensitive user data? Passwords, credit card numbers, etc. By default, Rails stores all submitted parameters in plain text in the logs. This episode will show you how to filter this sensitive input so it doesn't show up in the log file.

Tags: security

Download (8 MB, 2:42)

alternative download for iPod & Apple TV (4.6 MB, 2:42)

Read it on ASCIIcasts

# controllers/application.rb
filter_parameter_logging "password"

< Previous Episode

16 comments

1. Heiko Webers Apr 23, 2007 at 01:11

Thanks, I put it on the Rails Security Project: http://www.rorsecurity.info/

2. gad May 12, 2007 at 14:43

good tip

3. chineseGuy May 12, 2007 at 21:43

filter_parameter_logging "password"
good tip

4. Rob Nov 13, 2007 at 06:59

Great stuff. Am interested to know what the prompt is for rails also [FILTERING] out the password confirmation field? Is this parameter key a regex?

It's suggested here that you need to have both :password and :password_confirmation in the filter_parameter_logging call -

http://wiki.rubyonrails.org/rails/pages/HowtoAuthenticate

5. tayfun Jan 16, 2008 at 06:45

I think rails filters confirmation field automatically if you filter the password field. So you don't need to explicitly say so.

6. Aditya Sanghi Jun 08, 2008 at 14:03

Is there a way to get the exception_notifier plugin to use the filter_parameter_logging directive?

Anyone played with exception_notifier and parameter logging?

7. troelskn Nov 14, 2008 at 12:31

I would be nice with an explanation of how Rails know to filter password_confirmation?

8. indirmeden izle Aug 07, 2009 at 15:20

Very good cast and good solution. I am sure that many developers forget about data in logs

9. tyoc Aug 31, 2009 at 07:59

I think it filter both because it match the start of the strings, thought I haven't tested myself.

I mean if there is filter for password and you have password_field1, password_field2, password_field3, it will [FILTER] those 3.

10. ergun Oct 14, 2009 at 06:35

www.elitdizi.com

nice

11. cafedizi Nov 02, 2009 at 13:34

thxxxx

13. sinema izle Nov 23, 2009 at 22:12

eyvallah babacanlar

14. mani Dec 15, 2009 at 23:28

but these parameters are not filtered if some exception occurs.

how filter parameters from exception log as well?

15. filmizle Jan 05, 2010 at 06:09

saolun lan ibneler

16. sitene ekle Jan 17, 2010 at 09:54

thanks

17. filmizle Feb 03, 2010 at 12:10

bedava filmler izle

Add your comment:

navigation:

sponsored by:

tags:

if you want to help:

required:

Give Back to Open Source