PostHog self-hosting is a multi-service deployment, so security depends on correct hostnames, proxy trust configuration, cookie settings, and key management.
PostHog documents SECRET_KEY, SITE_URL, and IS_BEHIND_PROXY as key deployment settings.
Hardening baseline:
SECRET_KEY and store it in your secret managerSITE_URL to the exact public HTTPS URL users accessIS_BEHIND_PROXY=true when deployed behind reverse proxies/LBPostHog environment variables include cookie and host controls.
Required controls:
SECURE_COOKIES=true in HTTPS production deploymentsALLOWED_HOSTS explicitly to accepted hostnames onlyPostHog provides TRUSTED_PROXIES and related controls for proxy mode.
Proxy hardening:
TRUSTED_PROXIES to known proxy CIDRs onlyX-Forwarded-Proto, X-Forwarded-For) at ingressPostHog’s security policy requires running currently supported versions and reporting vulnerabilities privately.
Operational policy:
PostHog combines ingestion, analytics UI, and admin controls.
Risk reduction:
SECRET_KEY, SITE_URL, proxy/cookie/host settings): https://posthog.com/docs/self-host/configure/environment-variablesAny questions?
Feel free to contact us. Find all contact information on our contact page.