Hi Sirs,

a very important thing that I can remember about security on web environment is 'logs'.

Ruby on Rails provide a very simple way to protect us of store sensitive information on the logs. Every information that goes through the parameters is writed on the log. In websystem development phasis logging information is important, but in the production phasis, is dangerous. Hackers in general can take information through many ways. Our tip to protect sensitive information in the logs is the method 'filter_parameter_logging' of the Class ActionController::Base.

ActionController is the mother class of every controller in your applications, so the best place to call it is in the app/controllers/application.rb.

Just insert this example line of code:

filter_parameter_logging :password, :password_confirmation

and than it replaces the values of all keys that matches the arguments name with "[FILTERED]", and you are protecting your informations in the logs.

Is a simple tip, but very important. Do not forgot to use it.

See you.