For those of you that are already familiar with the Rails framework you already know that the Rails logs are completely invaluable when it comes to debugging and troubleshooting issues. However, just as with any form of transaction logs they introduce a major security issue.
Just think about some of that information that you might be storing in your database… credit card numbers?, social security numbers?, or what about passwords? Imagine someone getting a hold of those logs and seeing all the session parameters being passed into the database. Inserting the credit card numbers into an order, selecting the user information based on a username and password combination. See the point I’m making here? Let’s look at a quick example of what you’ll see in your logs:
Parameters: {“model”=>{“username”=>”John”, “password”=>”hax0r”}…
Not good.
Thankfully Rails makes it simple to filter this important material from your logs. Just open up the model that you want to filter and add a single line just below the class definition:
class Model < ActiveRecord::Base
filter_parameter_logging :password
…
end
In this case I just filtered “password”, but you could filter whatever else you wanted to for that model, separating each parameter with a comma, like such:
filter_parameter_logging :password, :confirm_password, :ssn, :creditcard_number, :etc
It’s that’s simple. So keep those Rails logs secure and filter out the stuff that others don’t need to know.
Innovative Thought 