Securing your production.log

By default Rails logs all your POST parameters in both development and production. If you are accepting credit card numbers, passwords or other sensitive information then all this data will end up in plain text in your production.log file. Not very cool.

Changing your log level to :warn prevents the logging of requests and their parameterse. To make this change add the following line to your application’s config/environments/production.rb file:

config.log_level = :warn

The only problem with the above method is that you lose lots of useful information. Ideally you just want to make sure specific actions or parameters don’t get logged. Luckily for you somebody’s already figured out how to do this: Kent Sibilev’s plugin code posted to the Rails mailing list back in February excludes params for entire actions, and the filter_logged_params plugin let’s you specify parameter keys to filter out across all actions.

Happy secure logging!

(credit for making me aware of this problem goes to Jeremy at segpub)

Replay

Category: programming Time: 2006-07-12 Views: 1
Tags:

Related post

  • Secure your Server with iptables 2005-04-19

    Central to securing a Linux server that's connected to the Internet is having a good firewall and specific policies in place. Numerous options exist for those considering firewalls for Linux, however, a free and included solution is onoffer through N

  • What is the best way to test how secure your server is? 2009-05-04

    What tools or techniques do you use to check if your server is really secure? As an administrator you spend quite some time to secure your server but how do you actually know if it really is? Let's say you have a webserver thus port 80 would be open.

  • What are the best practices to back up your production environment for a web app? 2012-05-14

    I am running 2 boxes on hetzner and would like to figure out the best way to back up the - app - data - live environment I understand that for the app and data parts, its very specific to my web service, so I am not going to go into too much detail h

  • 8 Practices to Secure Your Web App 2013-02-01

    When it comes to application security, in addition to securing your hardware and platform, you also need to write your code securely. This article will explain how to keep your application secure and less vulnerable to hacking. The following are the

  • Secure your SSH deployment with WiKID two-factor authentication 2015-08-30

    On this page Create a network client Configure the SSH Gateway Conclusion Secure your SSH deployment with WiKID two-factor authentication SSH offers a highly secure channel for remote administration of servers. However, if you face an audit for regul

  • Secure Your Linux Server 2003-06-17

    The Linux Operating System is one of the most stable and diverse OS's around. It's also one of the most popular servers in the world, thanks to its stability, process handling and developer dedication. No matter what you're planning to do with Linux,

  • Securing Your Apache 2 Server with SSL 2004-08-02

    Securing an Apache 2 Web server can be an intimidating prospect for those new to secure sockets layer (SSL) certificates. However, this need not be the case. SSL secures Web server to Web browser connections. Read on to better understand SSL certific

  • deploying ruby on rails application - production.log 2009-10-11

    I'm deploying my ruby on rails app to a fresh ubuntu server that is using Apache & Phusion Passenger. The only problem I ran into was that I needed to have my production.log file writable by everybody (permissions 666). I have already changed the fil

  • Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartS 2012-01-23

    There are a few problem areas when it comes to Fedora 15 and ISPConfig 3.0.4. Error is Apache 2 Can not be found There is no file directory "/etc/apache2/sites-available/ispconfig.vhost" on the system. Code: Securing Your ISPConfig 3 Installatio

  • How to secure your ISPConfig 3 server against the poodle SSL attack 2012-04-11

    Version 1.2 Author: Till Brehm<t [dot] brehm [at] howtoforge [dot] com> Follow howtoforge on Twitter Published 2014-10-16 In the following guide I will describe the steps to secure your server against the recent poodle SSL attack. I will use a ISPCo

  • Techniques to Secure Your Website with Ruby On Rails (Part 1) 2012-06-08

    Techniques to Secure Your Website with Ruby on Rails Techniques to Secure Your Website with Ruby On Rails (Part 1) Techniques to Secure Your Website with Ruby On Rails (Part 2) Techniques to Secure Your Website with Ruby On Rails (Part 3) During the

  • Rails app deployment challenge, not finding database table in production.log 2012-06-10

    I'm trying to setup PasswordPusher as my first ruby app ever. Building and running the webrick server as instructed in README works fine. It was only when I tried to add Apache ProxyPass and ProxyPassReverse that the page load slowed down to several

  • Techniques to Secure Your Website with Ruby On Rails (Part 3) 2012-06-26

    Techniques to Secure Your Website with Ruby on Rails Techniques to Secure Your Website with Ruby On Rails (Part 1) Techniques to Secure Your Website with Ruby On Rails (Part 2) Techniques to Secure Your Website with Ruby On Rails (Part 3) This is the

  • Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL 2013-05-12

    Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL Version 1.0 Author: Falko Timme Follow me on Twitter This tutorial shows how you can use a free Class1 SSL Certificate from StartSSL to secure your ISPConfig 3 in

  • Securing Your Server With A Host-based Intrusion Detection System 2014-03-14

    Securing Your Server With A Host-based Intrusion Detection System Version 1.0 Author: Falko Timme This article shows how to install and run OSSEC HIDS, an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking

  • Is Your Product's Documentation Good Enough? 2014-04-25

    Βethan In the real world, when we buy a phone, or a microwave or a washing machine, it comes with a quick start guide, a user guide, some technical documentation, and other similar stuff. Without these documents, we'll have to learn how to use the pr

  • Why is it so important to backup your transaction log? 2014-10-21

    We're currently implementing a backup solution for a client and their ERP solution uses SQL Server. The ERP solution was set up by a different company. And they are telling me that it is super important to back up and truncate the transaction log. I'

  • Securing Your Server With A Host-based Intrusion Detection Compatibility Question 2015-04-20

    Hello Group.. I just wanted to validate to some degree the compatibility of the following Tutorial/Software installation with Ubuntu 7.10... http://howtoforge.com/intrusion_detection_with_ossec_hids Securing Your Server With A Host-based Intrusion De

  • 5 Questionable Statements about Improving Your Productivity 2010-06-09

    I frequently have my eyes open for ways to boost my productivity. In my evaluation of various productivity software and tools, tips and advice, guidelines and programs, I have seen a number of productivity statements that tend to raise red flags for

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 1.290 (s). 13 q(s)