Filtering Sensitive Parameters from Log Files in Rails 5

Objective

To learn how to avoid sensitive information from getting written to log files in Rails 5.

Steps

Step 1

Let's add password to the users table.

rails g migration add_password_to_users password:string

This creates the migration file:

class AddPasswordToUsers < ActiveRecord::Migration[5.0]
  def change
    add_column :users, :password, :string
  end
end

Migrate the database:

rails db:migrate

Step 2

Create the form to capture the name, password and password confirmation in app/views/users/new.html.erb:

<%= form_for(@user) do |f| %>
  <div class="field">
    <%= f.label :name %>
    <%= f.text_field :first_name %>
  </div>

  <div class="field">
    <%= f.label :password %>
    <%= f.password_field :password %>
  </div>

  <div class="field">
    <%= f.label :password_confirmation %>
    <%= f.password_field :password_confirmation %>
  </div>

  <div class="actions">
    <%= f.submit %>
  </div>
<% end %>

Step 3

Define the routes for user registration in routes.rb.

resources :users, only: [:index, :show, :new, :create]

Step 4

Browse to http://localhost:3000/users/new. Fill out and submit the form.

Step 5

You will see the parameters sent to the server and the generated SQL query in the log/development.log file:

Started POST "/users" for ::1 at 2016-03-11 11:25:56 -0800
Processing by UsersController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"mxQJeccoEATtyCFy1eV", "user"=>{"first_name"=>"Juggy Head", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "commit"=>"Create user"}
Unpermitted parameter: password_confirmation
   (0.1ms)  begin transaction
  SQL (0.8ms)  INSERT INTO "users" ("first_name", "created_at", "updated_at", "password") VALUES (?, ?, ?, ?)  [["first_name", "Juggy Head"], ["created_at", 2016-03-11 19:25:56 UTC], ["updated_at", 2016-03-11 19:25:56 UTC], ["password", "123456"]]
   (0.5ms)  commit transaction
No template found for UsersController#create, rendering head :no_content
Completed 204 No Content in 15ms (ActiveRecord: 2.2ms)

You can see that the password and password confirmation values are filtered in the log file.

Step 6

Rails automatically creates filter_parameter_logging.rb in config/initializers folder:

# Be sure to restart your server when you modify this file.

# Configure sensitive parameters which will be filtered from the log file.
Rails.application.config.filter_parameters += [:password]

No need to add :password_confirmation to this list. Rails automatically filters out password_confirmation. You can add other sensitive fields to this:

Rails.application.config.filter_parameters += [:password, :credit_card]

Summary

In this article, you learned how to filter sensitive parameters from getting logged in the log files in Rails 5.


Related Articles