Hiding passwords in Rails log files

If you matter a bit about security, you certainly don't want the user's passwords to be cleartext in the log files of your Rails application. Believe me (or not) but your application is very likely making all the passwords available in production.log if you have not taken any counter-measure yet.

Just because a password is a parameter like the others most of the time, it consequently gets logged by Rails when it reaches a controller method. This is a bit annoying considering the time we spend on advanced security options like a SSL setup or the hashing of passwords in the database.

Hopefully, Rails has the solution, easy to setup. Once again, it's a bit hidden in the tons of methods the framework proposes, but this is the charm and beauty of it.

Assuming you use the word 'password' to name every parameter that deals with a password (in the registration, login and user edition forms), just add one line of code in the app/controllers/application.rb file.

class ApplicationController < ActionController::Base
  # filter out password parameters from log files
  filter_parameter_logging :password  
end

If your naming scheme is a bit more complex, don't worry because filter_parameter_logging accepts a list of words and a block that should be enough for matching all the cases. If it does not convey your choices, think about changing your code to simplify your naming of parameters.

After doing so, the value of any password parameter received by a controller appears as [FILTERED] in the log files of your Rails application, whatever the current environment is.

Thanks Maintainable Software for mentioning this Rails feature in their Rails Logging Tips article.

5 comments

  1. Harry Seldon  

    February 28, 2009 at 9:06 PM

    Thx for this very important advice !

  2. Laurent Farcy  

    March 1, 2009 at 11:13 AM

    You're welcome.

  3. abbey  

    May 23, 2014 at 10:20 AM

    Such a beautifull post!

  4. jazz  

    May 23, 2014 at 10:44 AM

    Thanks for sharing this info!!

  5. Unknown  

    March 3, 2020 at 7:44 PM

    If you're looking to lose fat then you certainly need to jump on this totally brand new custom keto diet.

    To create this keto diet, certified nutritionists, fitness trainers, and cooks have united to provide keto meal plans that are useful, decent, economically-efficient, and fun.

    Since their first launch in 2019, thousands of individuals have already transformed their body and well-being with the benefits a professional keto diet can offer.

    Speaking of benefits: in this link, you'll discover 8 scientifically-certified ones provided by the keto diet.

Recent Entries

Recent Comments

Ruby and Rails> Recommended