The Neuronen Schmiede concerns itself with topics related to software development. One focus are robust web applications.

GDPR Compliance with Ruby on Rails - IP-Address Logging

Permalink

The General Data Protection Regulation (GDPR) requires Personally Identifiable Information (PII) to be protected or not be processed or stored at all. An IP-Address counts as PII and therefore requires special treatment.

By default a Ruby on Rails application logs the IP-Address to a log file. One of the cleanest ways to protect visitors is to not log the actual IP-Address but an anonymized one.

A custom Rails::Rack:Logger class inherits from ActiveSupport::LogSubscriber and implements a custom method to produce logs without full IP-Addresses.

config/initializers/rack_logger.rb

module Rails
  module Rack
    class Logger < ActiveSupport::LogSubscriber
      def started_request_message(request)
         'Started %s "%s" for %s at %s' % [
          request.request_method,
          request.filtered_path,
          anonymized_ip(request),
          Time.now.to_default_s ]
      end

      def anonymized_ip(request)
        ip = IPAddr.new(request.ip)

        if ip.ipv4?
          ip.mask(24).to_s
        else
          ip.mask(48).to_s
        end
      end
    end
  end
end