Raise error if sensitive values appear in query string

Rails automatically filters sensitive information from logs. However, there is no mechanism preventing these parameters from appearing in the query string.

Imagine the case where a login form’s method is accidentally set to get instead of post. This would leak the password in the query string.


The values in the query string would then available in the browser’s history and potentially any analytic software.

One solution could be to raise an error in ActionView::Helpers::FormHelper#form_with under the following conditions:

However, there could be valid cases for building a form containing sensitive parameters, so there should probably be a way to opt-out of this. Either by using a different configuration to store the parameters we want to guard against, or by passing allowed values to #form_with:

<%= form_with(method: :get, permit_sensitive_params: [:token]) do | form| %>
  <% form.text_field :token %>
<% end %>