Once upon a time there was an application where New Relic exposed credit card numbers in the parameter logging. This was a terrible day in a developers life – send sensitive information in the logs. Rails provides a great interface to confirm parameters are filtered from being sent across the wires when sensitive information is at stake. In old Rails we placed this in controllers, but in Rails 4 the default is to place filter_parameter_logging as a Rails.config.

The old way of doing this

# app/controllers/api/base_api_controller.rb
class Api::BaseApiController < ApplicationController
  filter_parameter_logging :password, :password_confirmation, :card_number
# app/controllers/mobile/mobile_api_controller.rb
class Mobile::BaseMobileController < ApplicationController
  filter_parameter_logging :password, :password_confirmation

The issue becomes a lack of consistency, and of course you will say these should all go into ApplicationController, but Rails 4 does one better moving it to the Rails object and providing a better syntax for adding the attributes.

# config/initializers/filter_parameter_logging.rb
Rails.application.config.filter_parameters += [:password]
# Now part of Rails.config it can be added to the application.rb 
# config/application.rb
module Campus
  class Application < Rails::Application
    config.filter_parameters += [:password]

This could also be adjusted in environment files too now, which makes things even better.


Leave a Reply

Your email address will not be published. Required fields are marked *