Filtering parameters in your log files
Log files are good for figuring out what went wrong, or what SQL statement was executed, and many other things. But they’re terrible for storing sensitive information (such as passwords, credit card numbers, etc). Luckily, there’s an easy way to filter out the parameters you want to keep safe: filter_parameter_logging.
Here’s all you have to do:
1 2 3 4 5 6 | filter_parameter_logging :username, :password ## Here's what ends up in the .log file # Parameters: {"action" => "login", # "username" => "[FILTERED]", # "password" => "[FILTERED]"} |
Just stick that in any controller you want to protect. What’s really nice about this is if the arguments match any part of the parameter key, the value will be filtered.
1 2 3 4 5 6 7 8 | filter_parameter_logging :password ## Matches: # params[:password] # params[:user][:password] # params[:user][:login_password] # params[:user][:login_password_field] # ... |
You can also pass a block to declare the filter yourself. So instead of using the regular expression matching, you could do something like this:
1 2 3 | filter_parameter_logging do |key, value| value = "[can't see this]" if value == "password" end |
It’s just a really easy way to add a little more protection to your sensitive data.
Chris Thursday, 08 Mar, 2007 Posted at 04:12PM
Thanks for reminding me… I need to filter out some password fields on a few apps, but I forgot the command.