Censoring data in rails log files

Log files potentially can be exposed to a lot more people than you intend to. Such as someone who has access to your archive disk or someone who has access to your bug repository which contains a lot of log attachments.

By having access to these log files, sensitive information such as credit card number, password, and other private information could be leaked. It is always a good practice to not log these data into your log files.

To do so, update the filter_parameter_logging.rb initializer. For example:

# Filter any hash called "password"
Rails.application.config.filter_parameters += [:password]
# Filter any hash called "code"
Rails.application.config.filter_parameters += ['code']
# Filter any hash called "code" which is a child of "credit_card".
Rails.application.config.filter_parameters += ['credit_card.code']

Now you will see the value appears as "[FILTERED]" in your log files.

You might claim that sometimes these data are important for debugging. For example, you want to know a credit card number starts with 4 or 5. In this case, it is better to get the reference id from the log (such as transaction id or model id) and extract only a specific record from the database. It is safer than logging everything into the log files.

Censoring data in rails log files

Log files should be free of sensitive information

Guide Rails Logging Security