Leaking authenticity_token in logs
17 views
Skip to first unread message
0x01
Mar 15, 2019, 2:54:51 PM3/15/19
to Ruby on Rails: Talk
Is there a danger in leaking authenticity_token in logs? To put it differently: should I filter them out from logs?
Joe Guerra
Mar 15, 2019, 3:08:48 PM3/15/19
to Ruby on Rails: Talk
Where are your logs located?
0x01
Mar 16, 2019, 2:19:13 AM3/16/19
to Ruby on Rails: Talk
I do use Heroku and pipe logs to Papertrail (log aggregation service). Also, logs are stored in Amazon S3 for some time.
If these logs get compromised, can these tokens be used again (i.e. are these tokens reusable?)
Thanks.
пятница, 15 марта 2019 г., 23:08:48 UTC+4 пользователь Joe Guerra написал:
пятница, 15 марта 2019 г., 23:08:48 UTC+4 пользователь Joe Guerra написал:
Rob Zolkos
Mar 16, 2019, 7:50:36 AM3/16/19
to rubyonra...@googlegroups.com
It varies on each request https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/e8137c7f-e3c8-4fe8-8115-4c290ae68dc1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Walter Lee Davis
Mar 16, 2019, 1:27:40 PM3/16/19
to rubyonra...@googlegroups.com
They are only valid for 15 minutes and then they are never going to work again. They don't matter. I suppose if you had enough of them you could brute-force out what the secret key was, but that's a nation-state level of effort. Are your users (or their haters) in that league?
Walter
Walter
Reply all
Reply to author
Forward
0 new messages