#9 Filtering Sensitive Logs
Mar 23, 2007 | 2 minutes | Security
Are you accepting sensitive user data? Passwords, credit card numbers, etc. By default, Rails stores all submitted parameters in plain text in the logs. This episode will show you how to filter this sensitive input so it doesn't show up in the log file.
Thanks, I put it on the Rails Security Project: http://www.rorsecurity.info/
filter_parameter_logging "password"
good tip
Great stuff. Am interested to know what the prompt is for rails also [FILTERING] out the password confirmation field? Is this parameter key a regex?
It's suggested here that you need to have both :password and :password_confirmation in the filter_parameter_logging call -
http://wiki.rubyonrails.org/rails/pages/HowtoAuthenticate
I think rails filters confirmation field automatically if you filter the password field. So you don't need to explicitly say so.
Is there a way to get the exception_notifier plugin to use the filter_parameter_logging directive?
Anyone played with exception_notifier and parameter logging?
I would be nice with an explanation of how Rails know to filter password_confirmation?
Very good cast and good solution. I am sure that many developers forget about data in logs
I think it filter both because it match the start of the strings, thought I haven't tested myself.
I mean if there is filter for password and you have password_field1, password_field2, password_field3, it will [FILTER] those 3.
but these parameters are not filtered if some exception occurs.
how filter parameters from exception log as well?
First sign in through GitHub to post a comment.