Rails applications by default will log every parameter that is passed to a given controller. Normally this is desirable behavior but in the case of sensitive information (ex. passwords and credit card numbers) you should never log these values.

The recommended approach for this is to add a filter_parameters directive in your application configuration as shown below.

module SampleApp
  class Application < Rails::Application
    # Filter sensitive parameters from the log file.
    config.filter_parameters += [:password]
  end
end

But what if you are working within the context of a Rails Engine? For instance, in the Spree application there is an engine that has a controller responsible for posting credit card information (over SSL of course.) After a little bit of digging I came up with the following solution:

module SpreeCore
  class Engine < Rails::Engine
    # filter sensitive information during logging
    initializer "spree.params.filter" do |app|
      app.config.filter_parameters += [:number]
    end
  end
end

It turns out you can dynamically declare an initializer in your Railtie and then just add the filter there.