Rails automatically filters sensitive information from logs. However, there is no mechanism preventing these parameters from appearing in the query string.
Imagine the case where a login form’s method is accidentally set to get instead of post. This would leak the password in the query string.
https://example.com/?username=username&password=s3kret
The values in the query string would then available in the browser’s history and potentially any analytic software.
One solution could be to raise an error in ActionView::Helpers::FormHelper#form_with under the following conditions:
- The form’s method is set to
"get". - The form contains an
inputwith anamematching any of the configured filtered parameters.
However, there could be valid cases for building a form containing sensitive parameters, so there should probably be a way to opt-out of this. Either by using a different configuration to store the parameters we want to guard against, or by passing allowed values to #form_with:
<%= form_with(method: :get, permit_sensitive_params: [:token]) do | form| %>
<% form.text_field :token %>
<% end %>