Source: ocean/docs/posthog-security-updates.md | ✏️ Edit on GitHub

PostHog CDP Security Updates

Overview

We've implemented several critical security updates to protect user data and ensure proper access control in the PostHog CDP integration.

Security Improvements

1. Privacy-Protected Database Views

The PostHog views now implement PII protection:

• Email Hashing: Emails are SHA-256 hashed to protect user identity while maintaining tracking
• Domain Extraction: Only email domains are exposed for organizational tracking
• Data Aggregation: User and org IDs are hashed, only aggregated metrics exposed
• Filtered Data: Internal/test users excluded, only confirmed users included

2. Mandatory Webhook Authentication

All Edge Functions now require webhook secrets:

• Webhook secret verification is mandatory (no longer optional)
• Requests without proper authentication are rejected with 500 error
• Failed authentication attempts are logged for security monitoring

3. Organization-Based Access Control

Feature flag evaluation now enforces strict access control:

• Users can only evaluate flags for their own user ID
• Organization membership is verified before allowing org-specific flags
• All unauthorized access attempts are logged

4. Restricted Database Access

The posthog_readonly user now has minimal permissions:

• Access revoked from all tables
• Can only SELECT from specific views
• Views contain only anonymized/aggregated data

Required Actions

Immediate (Critical)

1. Rotate API Keys:

   # Remove any hardcoded keys from code
   # Update all environment variables with new keys
   # Ensure keys are only in secure environments

2. Update PostHog Views:

   supabase db push --include-all

3. Set Webhook Secrets in all environments:

   SUPABASE_WEBHOOK_SECRET=your-secure-webhook-secret

Within 24 Hours

1. Verify Password Changed:

   • Confirm posthog_readonly password was changed from default
   • Use a strong, unique password

2. Update PostHog CDP Configuration:

   • Re-sync tables after view updates
   • Verify data still flows correctly with hashed IDs

3. Monitor Security Logs:

   • Check Edge Function logs for any failed auth attempts
   • Review PostHog data to ensure proper anonymization

Data Privacy Considerations

What PostHog Can See

• Hashed user IDs (not reversible)
• Email domains (not full emails)
• Industry and region metadata
• Aggregated organization metrics
• Time-based cohorts (week/day granularity)

What PostHog Cannot See

• Actual email addresses
• User names
• Organization names or IDs
• Individual user actions
• Sensitive business data

Testing the Security Updates

1. Test Webhook Security:

   # This should fail with 500 error
   curl -X POST https://your-project.supabase.co/functions/v1/auth-hook \
     -H "Content-Type: application/json" \
     -d '{"test": "data"}'

2. Test Feature Flag Access Control:

   // This should fail with 403 error
   const response = await fetch('/functions/v1/feature-flags', {
     headers: { Authorization: `Bearer ${token}` },
     body: JSON.stringify({
       flags: ['test-flag'],
       userId: 'different-user-id', // Not the authenticated user
     }),
   })

3. Verify Data Anonymization:

   • Check PostHog dashboard for hashed IDs
   • Ensure no PII is visible in analytics

Ongoing Security Practices

1. Regular Key Rotation: Rotate API keys every 90 days
2. Access Reviews: Quarterly review of database permissions
3. Security Monitoring: Set up alerts for failed authentication
4. Data Retention: Implement 90-day retention for sensitive data
5. Compliance: Regular audits for GDPR/privacy compliance

Support

If you encounter any issues with these security updates:

1. Check Edge Function logs for detailed error messages
2. Verify all environment variables are set correctly
3. Ensure database migrations have been applied
4. Contact security team for assistance