A security related question


I’m running restful_authentication plugin on my projects.
When we login to the app the contents for the form that the login sends
are clearly available for anyone sniffing traffic. For example locally I
can see that the form sends:


So the username and password can be seen there.

I know https would hide that, also the token is needed for anyone to use
those credentials later.

But, how can this be considered secure?
This is not directly related to restful_authentication plugin, common
issue with any other forms.


In application controller you can say like for example

filter_parameter_logging :password (where password is the field

This the /password/i will be replaced by the value “[FILTERED]”


Hi Sijo,

Thanks for the reply. Yes I forgot to mention that one. But
ilter_parameter_logging will filter it in the server logs. My concern is
before getting that to the server, it goes straight from the browser in
this form:


I guess this is where HTTPS takes the stage…


Yes you are right