Adds security note to param logging

Good for this to be top of mind so no one traverses as such: ``` config.lograge.custom_payload do |controller| exceptions = %w(controller action format authenticity_token) { params: controller.request.params.except(*exceptions), # request.params is DANGEROUS } end ``` request.filtered_params is at least a bit safer as noted in #28
roidrage · Jun 3, 2019 · 31f5377 · 31f5377
1 parent 8fdc075
commit 31f5377
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -291,8 +291,10 @@ visualized in graphs than dumped (and ignored) in a log file.
 Lograge doesn't yet log the request parameters. This is something I'm actively
 contemplating, mainly because I want to find a good way to include them, a way
 that fits in with the general spirit of the log output generated by Lograge.
-However, the payload does already contain the params hash, so you can easily
-add it in manually using `custom_options`:
+If you decide to include them, be sure that senstive data like passwords
+and credit cards are not stored via [filtered_params](https://api.rubyonrails.org/classes/ActionDispatch/Http/FilterParameters.html)
+or another means. The payload does already contain the params hash, so you can easily add
+it in manually using `custom_options`:
 
 ```ruby
 # production.rb