From the Rails WIKI
Q: Don’t plain-text passwords still show up in the access log files as
of the POST requests? Anyone know how to prevent that?
A: Yes, post data shows up in log files including passwords. To prevent
adjust your logging level:
RAILS_DEFAULT_LOGGER.level = Logger::WARN
A: I also ran into this problem. Rather than just change the log level
everywhere, I wanted to only increase it around controller actions that
dealt with passwords. Additionally, the default logging level for
development is Logger::DEBUG, but for production it’s Logger::INFO.
So what I did was add two methods to my login controller:
def upgrade_logging RAILS_DEFAULT_LOGGER.level = Logger::WARN end def
restore_logging if ENV[‘RAILS_ENV’] == “production”
RAILS_DEFAULT_LOGGER.level = Logger::INFO elsif ENV[‘RAILS_ENV’] ==
“development” RAILS_DEFAULT_LOGGER.level = Logger::DEBUG end end
and then setup before_filters to call them around my sensitive actions: