🛡️ 测试与安全

posthog-security-basics

提供 PostHog 安全配置的全流程指导,涵盖 API 密钥的安全存储与轮换、基于环境的最小权限控制、Webhook 签名验证及合规审计日志记录,适用于构建符合安全规范的数据分析基础设施。

快捷安装

在终端运行此命令,即可一键安装该 Skill 到您的 Claude 中

npx skills add jeremylongshore/claude-code-plugins-plus-skills --skill "posthog-security-basics"

PostHog Security Basics

Overview

Secure PostHog API key management, least-privilege access, and secret rotation. PostHog has two key types with very different security profiles: the Project API Key (phc_...) is intentionally public and safe to include in frontend bundles, while the Personal API Key (phx_...) grants admin access and must never be exposed.

Prerequisites

  • PostHog account with admin access
  • Understanding of environment variable management
  • .gitignore configured

Instructions

Step 1: Understand Key Security Profiles

Key TypePrefixExposure RiskCapabilities
Project API Keyphc_Low (designed to be public)Capture events, evaluate flags, identify users
Personal API Keyphx_Critical (full admin access)CRUD flags, read persons, query insights, delete data
# .env (NEVER commit)
NEXT_PUBLIC_POSTHOG_KEY=phc_abc123   # Safe for frontend (NEXT_PUBLIC_ prefix)
POSTHOG_PERSONAL_API_KEY=phx_xyz789  # Server-only — NEVER in frontend code
POSTHOG_PROJECT_ID=12345

# .gitignore
.env
.env.local
.env.*.local

Step 2: Create Scoped Personal API Keys

set -euo pipefail
# Create a read-only key for BI dashboards
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "bi-dashboard-readonly",
    "scopes": ["insight:read", "dashboard:read", "query:read"]
  }'

# Create a key scoped to feature flags only
curl -X POST "https://app.posthog.com/api/personal_api_keys/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "label": "feature-flag-service",
    "scopes": ["feature_flag:read", "feature_flag:write"]
  }'

Step 3: Rotate Personal API Keys

set -euo pipefail
# 1. Create new key in PostHog Settings > Personal API Keys
# 2. Update secret in your deployment platform
# Vercel:
vercel env rm POSTHOG_PERSONAL_API_KEY production
vercel env add POSTHOG_PERSONAL_API_KEY production

# GitHub Actions:
gh secret set POSTHOG_PERSONAL_API_KEY --body "phx_new_key_here"

# 3. Verify new key works
curl -s "https://app.posthog.com/api/projects/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | jq '.[0].name'

# 4. Delete old key in PostHog dashboard

Step 4: Prevent Key Leaks

# Git pre-commit hook to catch PostHog personal keys
# .git/hooks/pre-commit (or use husky)
#!/bin/bash
if git diff --cached --diff-filter=ACM | grep -qE 'phx_[a-zA-Z0-9]{20,}'; then
  echo "ERROR: PostHog personal API key (phx_) detected in staged files!"
  echo "Remove it and use environment variables instead."
  exit 1
fi
# .github/secret-scanning.yml (or use GitHub's built-in secret scanning)
patterns:
  - name: PostHog Personal API Key
    regex: 'phx_[a-zA-Z0-9]{20,}'
    severity: critical

Step 5: Server-Side Key Isolation

// lib/posthog-server.ts — Personal key never leaves the server
import { PostHog } from 'posthog-node';

const posthog = new PostHog(process.env.NEXT_PUBLIC_POSTHOG_KEY!, {
  host: 'https://us.i.posthog.com',
  // personalApiKey ONLY used server-side for local flag evaluation
  personalApiKey: process.env.POSTHOG_PERSONAL_API_KEY,
});

// API routes that proxy admin operations
// Never expose the personal key to the client
export async function getFeatureFlagsForUser(userId: string) {
  return posthog.getAllFlags(userId);
}

Step 6: Audit API Key Usage

set -euo pipefail
# Check activity log for API key operations
curl "https://app.posthog.com/api/projects/$POSTHOG_PROJECT_ID/activity_log/" \
  -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" | \
  jq '[.results[] | select(.scope == "PersonalAPIKey") | {
    user: .user.email,
    activity: .activity,
    created_at
  }]'

Security Checklist

  • Project key (phc_) used for all frontend/capture code
  • Personal key (phx_) only on server, never in frontend bundles
  • .env files in .gitignore
  • Separate keys per environment (dev/staging/prod)
  • Scoped personal keys (not full admin for every service)
  • Git pre-commit hook scanning for phx_ keys
  • Key rotation documented and scheduled (quarterly)

Error Handling

IssueDetectionFix
Personal key in git historyGitHub secret scanning alertRotate key immediately, revoke old one
Wrong key type401 on admin APIUse phx_ for admin, phc_ for capture
Overprivileged keyAudit log shows unexpected operationsCreate scoped key, revoke broad one
Key exposed in logsLog scrubbing finds phx_Redact logs, rotate key

Output

  • Environment-specific API key configuration
  • Scoped personal API keys for least privilege
  • Key rotation procedure
  • Git pre-commit hook for leak prevention
  • Audit log queries for key usage monitoring

Resources

Next Steps

For production deployment, see posthog-prod-checklist.

🔗 相关技巧

superpowers-workflow

遵循结构化流程处理开发任务,涵盖需求澄清、分步规划、测试优先的实现、代码审查与验证总结,适用于功能开发、调试、重构及自动化设计等场景,根据变更风险动态调整流程严格度。

webapp-testing

提供对本地 Web 应用的端到端测试能力,支持启动服务、自动化交互、截图诊断、控制台日志捕获及动态 DOM 分析,适用于验证前端功能与调试 UI 行为。

pr-creator

自动化创建符合规范的拉取请求,涵盖分支切换、模板识别与填充、预检验证及标准化提交,确保代码审查流程的合规性与完整性。

java-python-code-reviewer

提供针对 Java与 Python 代码的深度评审,聚焦正确性、复杂度分析与实现质量。支持算法题解审查,识别边界条件遗漏与性能瓶颈,推荐数据结构优化策略,并对比双语言实现差异,在保证逻辑严谨的同时提升代码可读性与执行效率。