Blog Post RSS ?

Blogs » Ruby on Rails » Securing your production.log
« Jul 11, 2006 News Wire
Jul 12, 2006 News Wire »
 

Securing your production.log

by Tim Lucas

By default Rails logs all your POST parameters in both development and production. If you are accepting credit card numbers, passwords or other sensitive information then all this data will end up in plain text in your production.log file. Not very cool.

Changing your log level to :warn prevents the logging of requests and their parameterse. To make this change add the following line to your application’s config/environments/production.rb file:

config.log_level = :warn

The only problem with the above method is that you lose lots of useful information. Ideally you just want to make sure specific actions or parameters don’t get logged. Luckily for you somebody’s already figured out how to do this: Kent Sibilev’s plugin code posted to the Rails mailing list back in February excludes params for entire actions, and the filter_logged_params plugin let’s you specify parameter keys to filter out across all actions.

Happy secure logging!

(credit for making me aware of this problem goes to Jeremy at segpub)

Tags: , , ,

This entry was posted on Wednesday, July 12th, 2006 at 8:22 pm, contains 156 words, and is filed under Ruby on Rails. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed. The views and opinions in this blog post are those of its author.

This post has 2 responses so far

  1. James Collins Says:
    August 6th, 2006 at 1:19 am

    Thanks for the terrific post on securing the production.log! That’s exactly what I needed.

     
  2. timlucas Says:
    August 11th, 2006 at 1:06 am

    With Rails 1.1.5+ you can use the new ActionController#filter_parameter_logging method to filter out sensitive information from your logs

     

Sponsored Links

Leave a response

You are not logged in, log in with your SitePoint Forum username and password.

-OR- Post Anonymously

* Make sure any code samples are escaped (i.e. ‘<b>’ becomes ‘&lt;b&gt;’).

If not logged in, your comments will be placed in a moderation queue. This means your comment may not appear until one of our moderators approves it.

Your Blogmaster is...

Tim Lucas

Tim Lucas

Tim (aka toolmantim) is a Sydney based, possum-eyed web application designer with a bent for web standards and user-centred design. When not hiding behind his camera he can be found doodling interface designs and coding Rails at his company aviditybytes.

Subscribe

SitePoint Newsletters

Get all the latest tips by signing up to all of SitePoint’s informative newsletters.

HTML   Plain

SitePoint Blogs

SitePoint Marketplace

Buy, Sell, Trade

Buy and sell Websites, templates, domain names, hosting, graphics and more.

Posting Code Snippets

Feel free to enter code snippets into your comments in the following format.

Marking Up Your Code
<pre>
<code class='html'> 
code snippet 
</code>
</pre>

Be sure to escape any HTML snippets (i.e. '<' becomes '&lt;' ).

Supported language classes include:

  • XML, HTML, XSLT and any other XML style code
  • CSS
  • C#
  • VB & VB.NET
  • Delphi, Pascal
  • JavaScript
  • PHP
  • Python
  • SQL