diff --git a/changelogs/unreleased/sh-filter-csrf-params.yml b/changelogs/unreleased/sh-filter-csrf-params.yml
new file mode 100644
index 0000000000000000000000000000000000000000..70eb3321e77d546727cdbca2a654d219edc6f3a3
--- /dev/null
+++ b/changelogs/unreleased/sh-filter-csrf-params.yml
@@ -0,0 +1,5 @@
+---
+title: Filter additional secrets from Rails logs
+merge_request:
+author:
+type: security
diff --git a/config/application.rb b/config/application.rb
index f69dab4de3988b5841176285f6d6adff322fe5b0..32a290f2002720c25ff22304f5de3825ed731249 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -51,31 +51,24 @@ class Application < Rails::Application
     # Configure sensitive parameters which will be filtered from the log file.
     #
     # Parameters filtered:
-    # - Password (:password, :password_confirmation)
-    # - Private tokens
+    # - Any parameter ending with `_token`
+    # - Any parameter containing `password`
+    # - Any parameter containing `secret`
     # - Two-factor tokens (:otp_attempt)
     # - Repo/Project Import URLs (:import_url)
     # - Build variables (:variables)
     # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
     # - Webhook URLs (:hook)
-    # - GitLab-shell secret token (:secret_token)
     # - Sentry DSN (:sentry_dsn)
     # - Deploy keys (:key)
+    config.filter_parameters += [/_token$/, /password/, /secret/]
     config.filter_parameters += %i(
-      authentication_token
       certificate
       encrypted_key
       hook
       import_url
-      incoming_email_token
-      rss_token
       key
       otp_attempt
-      password
-      password_confirmation
-      private_token
-      runners_token
-      secret_token
       sentry_dsn
       variables
     )