posthog-security-basics

PostHog Security Basics

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "posthog-security-basics" with this command: npx skills add jeremylongshore/claude-code-plugins-plus-skills/jeremylongshore-claude-code-plugins-plus-skills-posthog-security-basics

PostHog Security Basics

Overview

Security best practices for PostHog API keys, tokens, and access control.

Prerequisites

  • PostHog SDK installed

  • Understanding of environment variables

  • Access to PostHog dashboard

Instructions

Step 1: Configure Environment Variables

.env (NEVER commit to git)

POSTHOG_API_KEY=sk_live_*** POSTHOG_SECRET=***

.gitignore

.env .env.local .env.*.local

Step 2: Implement Secret Rotation

set -euo pipefail

1. Generate new key in PostHog dashboard

2. Update environment variable

export POSTHOG_API_KEY="new_key_here"

3. Verify new key works

curl -H "Authorization: Bearer ${POSTHOG_API_KEY}"
https://api.posthog.com/health

4. Revoke old key in dashboard

Step 3: Apply Least Privilege

Environment Recommended Scopes

Development read:*

Staging read:*, write:limited

Production Only required scopes

Output

  • Secure API key storage

  • Environment-specific access controls

  • Audit logging enabled

Error Handling

Security Issue Detection Mitigation

Exposed API key Git scanning Rotate immediately

Excessive scopes Audit logs Reduce permissions

Missing rotation Key age check Schedule rotation

Examples

Service Account Pattern

const clients = { reader: new PostHogClient({ apiKey: process.env.POSTHOG_READ_KEY, }), writer: new PostHogClient({ apiKey: process.env.POSTHOG_WRITE_KEY, }), };

Webhook Signature Verification

import crypto from 'crypto';

function verifyWebhookSignature( payload: string, signature: string, secret: string ): boolean { const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex'); return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected)); }

Security Checklist

  • API keys in environment variables

  • .env files in .gitignore

  • Different keys for dev/staging/prod

  • Minimal scopes per environment

  • Webhook signatures validated

  • Audit logging enabled

Audit Logging

interface AuditEntry { timestamp: Date; action: string; userId: string; resource: string; result: 'success' | 'failure'; metadata?: Record<string, any>; }

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> { const log: AuditEntry = { ...entry, timestamp: new Date() };

// Log to PostHog analytics await posthogClient.track('audit', log);

// Also log locally for compliance console.log('[AUDIT]', JSON.stringify(log)); }

// Usage await auditLog({ action: 'posthog.api.call', userId: currentUser.id, resource: '/v1/resource', result: 'success', });

Resources

  • PostHog Security Guide

  • PostHog API Scopes

Next Steps

For production deployment, see posthog-prod-checklist .

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

xss-vulnerability-scanner

No summary provided by upstream source.

Repository SourceNeeds Review
-44
jeremylongshore
Security

session-security-checker

No summary provided by upstream source.

Repository SourceNeeds Review
-41
jeremylongshore
Security

cookie-security-analyzer

No summary provided by upstream source.

Repository SourceNeeds Review
-41
jeremylongshore