Cartoon version of meJamie van Dyke

Toward my dreams I persist,
determined, relentless.
Destroy them, you cannot.
For I shall continue,
I shall prevail.
The sands of time,
have expunged my writings.
So let us again set in motion
the teachings,
and share the bollocks.

Jamie van Dyke is proficient in Ruby (and Rails). He teaches, he codes and is working for boxedup.

Filtering Passwords in the Rails Log
inscribed on 13 Jan 2008
by Jamie van Dyke

Every time a user logs on to your Rails site, they enter a username or password. The login form you’ve created no doubt POST’s that value to your Rails application, which it then kindly logs in your production.log. This is fine for development, but what about when you deploy your site to your production environment? That’s right, for however long you store your logs (I’ve seen some customers keep 3+ years worth of logs), those user passwords will be sat in that log. This isn’t the most secure way of handling this. Rails is set up to be able to filter these though, but how? Use the following snippet to instruct your Rails application to filter any parameters called ‘password’:

  class ApplicationController < ActionController::Base
    filter_parameter_logging "password"
  end

Recent Comments