refactor(security): redact PostHog exception props via before_send denylist

huv1k · huv1k · commit 49a5aac8dff2 · 2026-06-12T15:58:08.000+02:00
Adopt PostHog's recommended before_send redaction pattern (https://posthog.com/tutorials/web-redact-properties): null URL/user-agent properties by key name on $exception events. Scoped to exceptions to preserve web analytics URL/referrer context, and the error message text is still scrubbed for embedded secrets rather than nulled so errors stay debuggable.
diff --git a/src/features/posthog-sanitize.ts b/src/features/posthog-sanitize.ts
@@ -2,7 +2,36 @@ import type { CaptureResult } from 'posthog-js'
 
 const REDACTED = '[redacted]'
 
-const REDACTION_RULES: { pattern: RegExp; replacement: string }[] = [
+// Property keys (substring match) whose values can carry sensitive data: URLs
+// may embed tokens, user agents fingerprint users. Redacted following PostHog's
+// recommended before_send pattern:
+// https://posthog.com/tutorials/web-redact-properties
+const REDACTED_PROPERTY_KEYS = [
+  'url',
+  'href',
+  'pathname',
+  'referrer',
+  'host',
+  'user_agent',
+]
+
+function filterProperties(
+  properties: Record<string, unknown>
+): Record<string, unknown> {
+  return Object.entries(properties).reduce<Record<string, unknown>>(
+    (acc, [key, value]) => {
+      acc[key] = REDACTED_PROPERTY_KEYS.some((prop) => key.includes(prop))
+        ? null
+        : value
+      return acc
+    },
+    {}
+  )
+}
+
+// Secret values that may be embedded in the exception message/stack text, which
+// (unlike URL properties) we keep rather than null so errors stay debuggable.
+const SECRET_VALUE_RULES: { pattern: RegExp; replacement: string }[] = [
   // JWTs (header.payload.signature)
   {
     pattern: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g,
@@ -21,34 +50,37 @@ const REDACTION_RULES: { pattern: RegExp; replacement: string }[] = [
   },
 ]
 
-function redact(value: string): string {
-  return REDACTION_RULES.reduce(
+function redactSecrets(value: string): string {
+  return SECRET_VALUE_RULES.reduce(
     (acc, { pattern, replacement }) => acc.replace(pattern, replacement),
     value
   )
 }
 
 /**
- * `before_send` hook that strips credentials from $exception event text before
- * it leaves the browser, so raw error messages/stacks can't leak secrets to
- * PostHog. Covers both manual captureException and automatic capture_exceptions.
+ * `before_send` hook that scrubs $exception events before they leave the
+ * browser: nulls URL/user-agent properties (token leak + fingerprinting) and
+ * strips embedded secrets from the error message text. Scoped to exceptions so
+ * web analytics keeps its URL/referrer context.
  */
 export function sanitizePostHogEvent(
   event: CaptureResult | null
 ): CaptureResult | null {
   if (!event || event.event !== '$exception') return event
 
-  const props = event.properties
-  if (!props) return event
+  event.properties = filterProperties(event.properties ?? {})
+  if (event.$set) event.$set = filterProperties(event.$set)
+  if (event.$set_once) event.$set_once = filterProperties(event.$set_once)
 
-  if (typeof props.$exception_message === 'string') {
-    props.$exception_message = redact(props.$exception_message)
+  const message = event.properties.$exception_message
+  if (typeof message === 'string') {
+    event.properties.$exception_message = redactSecrets(message)
   }
 
-  if (Array.isArray(props.$exception_list)) {
-    for (const item of props.$exception_list) {
+  if (Array.isArray(event.properties.$exception_list)) {
+    for (const item of event.properties.$exception_list) {
       if (item && typeof item.value === 'string') {
-        item.value = redact(item.value)
+        item.value = redactSecrets(item.value)
       }
     }
   }
diff --git a/tests/unit/posthog-sanitize.test.ts b/tests/unit/posthog-sanitize.test.ts
@@ -30,6 +30,31 @@ describe('sanitizePostHogEvent', () => {
     )
   })
 
+  it('nulls URL and user-agent properties on exception events', () => {
+    const event = {
+      uuid: 'x',
+      event: '$exception',
+      properties: {
+        $current_url: 'https://app/team/abc?token=secret',
+        $pathname: '/team/abc',
+        $referrer: 'https://app/login?code=xyz',
+        $host: 'app.e2b.dev',
+        $raw_user_agent: 'Mozilla/5.0',
+        $exception_message: 'boom',
+        custom_count: 3,
+      },
+    } as CaptureResult
+    const result = sanitizePostHogEvent(event)
+    expect(result?.properties.$current_url).toBeNull()
+    expect(result?.properties.$pathname).toBeNull()
+    expect(result?.properties.$referrer).toBeNull()
+    expect(result?.properties.$host).toBeNull()
+    expect(result?.properties.$raw_user_agent).toBeNull()
+    // Non-sensitive properties are preserved.
+    expect(result?.properties.custom_count).toBe(3)
+    expect(result?.properties.$exception_message).toBe('boom')
+  })
+
   it('redacts JWTs in the exception message', () => {
     const jwt = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NSJ9.s5G_abcDEF-123'
     const event = sanitizePostHogEvent(
