From 9372c6eb00e320165f900dc90f35c16a191d17b9 Mon Sep 17 00:00:00 2001
From: Daniel Powell <dan.powell@privateprep.com>
Date: Mon, 3 Jun 2019 17:11:03 -0600
Subject: [PATCH] Adds security note to param logging

Good for this to be top of mind so no one traverses as such:

```
config.lograge.custom_payload do |controller|
  exceptions = %w(controller action format authenticity_token)
  {
    params: controller.request.params.except(*exceptions), # request.params is DANGEROUS
  }
end
```

request.filtered_parameters is at least a bit safer as noted
in https://github.com/roidrage/lograge/issues/28
---
 README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 3546bedd..f3896127 100644
--- a/README.md
+++ b/README.md
@@ -291,8 +291,10 @@ visualized in graphs than dumped (and ignored) in a log file.
 Lograge doesn't yet log the request parameters. This is something I'm actively
 contemplating, mainly because I want to find a good way to include them, a way
 that fits in with the general spirit of the log output generated by Lograge.
-However, the payload does already contain the params hash, so you can easily
-add it in manually using `custom_options`:
+If you decide to include them be sure that senstive data like passwords
+and credit cards are not stored via [filtered_parameters](https://api.rubyonrails.org/classes/ActionDispatch/Http/FilterParameters.html)
+or another means. The payload does already contain the params hash, so you can easily add
+it in manually using `custom_options`:
 
 ```ruby
 # production.rb