By default Rails logs all your POST parameters in both development and production. If you are accepting credit card numbers, passwords or other sensitive information then all this data will end up in plain text in your production.log file. Not very cool.
Changing your log level to :warn prevents the logging of requests and their parameterse. To make this change add the following line to your application’s config/environments/production.rb file:
config.log_level = :warnThe only problem with the above method is that you lose lots of useful information. Ideally you just want to make sure specific actions or parameters don’t get logged. Luckily for you somebody’s already figured out how to do this: Kent Sibilev’s plugin code posted to the Rails mailing list back in February excludes params for entire actions, and the filter_logged_params plugin let’s you specify parameter keys to filter out across all actions.
Happy secure logging!
(credit for making me aware of this problem goes to Jeremy at segpub)
Related posts:
- Famous Rails Screencast Gets an Update When Ruby on Rails was first introduced, nothing helped put...
- How To Develop a jQuery Plugin Creating a jQuery plugin is easier than you might think....
- Top Ruby Frameworks Rails and Merb Join Forces It's not every day that two essentially competing web development...
- Vital Information For A Web Design Project Request Form A project request form can help the client outline their...
- How to Build an Email Marketing List Email marketing can be very effective...if you're able to build...
Thanks for the terrific post on securing the production.log! That’s exactly what I needed.
August 6th, 2006 at 1:19 am
With Rails 1.1.5+ you can use the new ActionController#filter_parameter_logging method to filter out sensitive information from your logs
August 11th, 2006 at 1:06 am