MikeRogers0/MikeRogersIO

View on GitHub
src/_posts/2018-06-20-better-filter-parameters-defaults.md

Summary

Maintainability
Test Coverage
---
layout: post
title: Don't just [FILTER] passwords by default, filter tokens and keys!
description: Update your config.filter_parameters to have sensible defaults, so logs don't have sensitive information in them.
---

I've picked up a lot of Rails projects while being a contractor. Almost always, I can grantee that the `config/initializers/filter_parameter_logging.rb` will be pretty much untouched, and probably will have the commit message of "Initial commit".

This is a massive shame, as it's responsible for deciding which parameters are replaced with `[FILTERED]` in logs, and really should be updated to include a lot more parameters.

## My new default

Instead of hoping people remember to add sensitive parameters while developing, I work on the assumption that most apps will connect to Stripe, have an API and use Devise.

When I start or take on a project, I just replace this file to include the parameters often passed by Stripe, APIs and Devise. Like this:

```ruby
# config/initializers/filter_parameter_logging.rb
# Be sure to restart your server when you modify this file.

# Configure sensitive parameters which will be filtered from the log file.
Rails.application.config.filter_parameters += [
  :password,
  # Stripe
  :stripe_card_token, :stripe_publishable_key,
  # An API
  :access_token, :refresh_token,
  # Devise
  :confirmation_token
]
```

## What I'd like to see in the future

Developers manually updating the `filter_parameter_logging.rb` file is a is a good start, but if the `rails new` project template included a few more common keys, I think we'd be in a very good place.

I'd also really like to see more gems just appending their sensitive parameters to the `filter_parameters`.