ruby 47 lines · 7 steps

Recursively scrubbing secrets from JSON

A scrubber walks any nested payload, redacting sensitive keys and partially masking emails before serializing.

Explained by highlit

Intermediate recursion data-masking pattern-matching serialization security

1require 'json'
2require 'set'
3 
4class SensitiveScrubber
DEFAULT_KEYS = %w[
  password password_confirmation token access_token refresh_token
  secret api_key ssn credit_card cvv authorization
].freeze
9 
EMAIL_PATTERN = /\A[^@\s]+@[^@\s]+\z/
11 
def initialize(keys: DEFAULT_KEYS, mask: '[FILTERED]')
  @keys = Set.new(keys.map(&:to_s).map(&:downcase))
  @mask = mask
end
16 
def to_json(payload, **opts)
  JSON.generate(scrub(payload), **opts)
end
20 
private
22 
def scrub(value)
  case value
  when Hash
    value.each_with_object({}) do |(key, val), acc|
      acc[key] = sensitive?(key) ? @mask : scrub(val)
    end
  when Array
    value.map { |item| scrub(item) }
  when String
    value.match?(EMAIL_PATTERN) ? mask_email(value) : value
  else
    value
  end
end
37 
def sensitive?(key)
  @keys.include?(key.to_s.downcase)
end
41 
def mask_email(email)
  local, domain = email.split('@', 2)
  visible = local[0, 2]
  "#{visible}#{'*' * [local.length - 2, 1].max}@#{domain}"
end
47end

01 / 01

STEP 01

Walkthrough

Space play ←→ step click any line

Three takeaways

1A recursive case-by-type walk handles arbitrarily nested hashes and arrays uniformly.
2Normalizing keys into a downcased Set makes sensitivity checks fast and case-insensitive.
3Partial masking preserves enough of a value to stay recognizable without exposing it fully.

Related explainers

ruby

require "csv"
 
class SalesReport
  def initialize(path)

Aggregating CSV sales data in Ruby

data-aggregation memoization group_by

Intermediate 6 steps

python

from collections.abc import Mapping
from typing import Any, Iterator

Flattening nested config into dotted keys

recursion generators tree-traversal

Intermediate 7 steps

ruby

module DurationFormatter
  UNITS = [
    ['week', 604_800],
    ['day', 86_400],

Turning seconds into human-readable durations in Ruby

greedy-decomposition modular-arithmetic formatting

Intermediate 7 steps

php

<?php
 
class ImageUploadService
{

Validating file uploads safely in PHP

file-upload input-validation security

Intermediate 8 steps

ruby

class Comment < ApplicationRecord
  belongs_to :post
  belongs_to :author, class_name: "User"

Live-updating comments with Turbo in Rails

turbo-streams callbacks associations

Intermediate 8 steps

package model
 
import (
	"encoding/json"

Custom JSON marshaling in Go

json serialization interfaces

Intermediate 5 steps

Share this explainer

Here's the card — post it anywhere.

Recursively scrubbing secrets from JSON — share card

Made with highlit — turn any snippet into a walkthrough like this in about a minute.

Explain your code

Recursively scrubbing secrets from JSON

Walkthrough

Related explainers

Aggregating CSV sales data in Ruby

Flattening nested config into dotted keys

Turning seconds into human-readable durations in Ruby

Validating file uploads safely in PHP

Live-updating comments with Turbo in Rails

Custom JSON marshaling in Go

Share this explainer

Embed this explainer