Silencing Rails Logs for Security

For those of you that are already familiar with the Rails framework you already know that the Rails logs are completely invaluable when it comes to debugging and troubleshooting issues.  However, just as with any form of transaction logs they introduce a major security issue.

Just think about some of that information that you might be storing in your database… credit card numbers?, social security numbers?, or what about passwords?  Imagine someone getting a hold of those logs and seeing all the session parameters being passed into the database.  Inserting the credit card numbers into an order, selecting the user information based on a username and password combination.  See the point I’m making here?  Let’s look at a quick example of what you’ll see in your logs:

Parameters: {“model”=>{“username”=>”John”, “password”=>”hax0r”}…

Not good.

Thankfully Rails makes it simple to filter this important material from your logs.  Just open up the model that you want to filter and add a single line just below the class definition:

class Model < ActiveRecord::Base
filter_parameter_logging :password

end

In this case I just filtered “password”, but you could filter whatever else you wanted to for that model, separating each parameter with a comma, like such:

filter_parameter_logging :password, :confirm_password, :ssn, :creditcard_number, :etc

It’s that’s simple.  So keep those Rails logs secure and filter out the stuff that others don’t need to know.

About these ads


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.