Jan 13
Every time a user logs on to your Rails site, they enter a username or password. The login form you’ve created no doubt POST’s that value to your Rails application, which it then kindly logs in your production.log. This is fine for development, but what about when you deploy your site to your production environment? That’s right, for however long you store your logs (I’ve seen some customers keep 3+ years worth of logs), those user passwords will be sat in that log. This isn’t the most secure way of handling this. Rails is set up to be able to filter these though, but how? Use the following snippet to instruct your Rails application to filter any parameters called ‘password’:
class ApplicationController < ActionController::Base filter_parameter_logging "password" end
Recent Comments