PostHog API key

ID

posthog_key

Severity

low

Vendor

PostHog

Family

API Key

Description

PostHog is an open-source product analytics platform that provides tools for event tracking, session recording, feature flags, A/B testing, and user surveys.

PostHog uses API keys for authentication. Project API Key (phc_ prefix) are used for client-side event capture and feature flag evaluation. While designed to be used in frontend code, it should still be tracked as it identifies your project.

Security

A leaked project API key (phc_) could allow:

  • Sending fake analytics events to your project, polluting your data.

  • Evaluating feature flags for arbitrary users.

Examples

The following are examples of leaked PostHog keys:

POSTHOG_API_KEY=phc_99T7muzafUMM...3l5Qbv

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically requires revoking the key.

    For project API keys: Go to Project Settings and click "Roll key" to rotate the project API key. Update all client-side integrations with the new key.

    Leaked keys should be immediately revoked and rotated.

  2. Remove the leaked PostHog key from the source code or committed configuration file, and replace the usages of the leaked key with the new value. Environment variables, local files or secret vaults could be used for passing the key, instead of hardcoding the value, as documented in How to Prevent Hard-Coded Secrets.

  3. Check PostHog activity logs to ensure that the key was not used by unintended actors during the compromised period.

  4. Follow best practices for securely handling PostHog API keys:

    • Never commit personal API keys to public repositories.

    • Use environment variables or secret managers to pass API keys in your code.

    • Use separate keys for development and production environments.

    • Monitor API usage for unusual patterns.

    • Implement proper access controls and key rotation schemes.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference