fix(security): redact secrets from PostHog exception events

huv1k · huv1k · commit eecc3afda547 · 2026-06-12T15:44:42.000+02:00
Add a before_send hook that strips JWTs, API-key-like tokens, and sensitive
URL query-param values from $exception event text before it leaves the
browser. Covers both manual captureException and automatic capture_exceptions
so raw error messages/stacks can't leak credentials to PostHog.
diff --git a/src/features/posthog-provider.tsx b/src/features/posthog-provider.tsx
@@ -1,6 +1,7 @@
 import posthog, { type Survey } from 'posthog-js'
 import { PostHogProvider as PHProvider } from 'posthog-js/react'
 import { createContext, useContext, useEffect, useState } from 'react'
+import { sanitizePostHogEvent } from './posthog-sanitize'
 
 interface AppPostHogContextValue {
   enabled: boolean
@@ -53,6 +54,8 @@ export function PostHogProvider({
         capture_unhandled_rejections: true,
         capture_console_errors: false,
       },
+      // Redact secrets from exception text before it leaves the browser.
+      before_send: sanitizePostHogEvent,
       advanced_enable_surveys: true,
       disable_session_recording: process.env.NODE_ENV !== 'production',
       advanced_disable_toolbar_metrics: true,
diff --git a/src/features/posthog-sanitize.ts b/src/features/posthog-sanitize.ts
@@ -0,0 +1,57 @@
+import type { CaptureResult } from 'posthog-js'
+
+const REDACTED = '[redacted]'
+
+const REDACTION_RULES: { pattern: RegExp; replacement: string }[] = [
+  // JWTs (header.payload.signature)
+  {
+    pattern: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g,
+    replacement: REDACTED,
+  },
+  // API-key-like tokens (e.g. sk_..., pk_..., rk_..., e2b_...)
+  {
+    pattern: /\b(?:sk|pk|rk|e2b)_[A-Za-z0-9-]{8,}\b/gi,
+    replacement: REDACTED,
+  },
+  // Sensitive URL query params: keep the key, drop the value
+  {
+    pattern:
+      /([?&][^=&\s]*(?:token|key|secret|password|passwd|auth|session|code)[^=&\s]*=)[^&\s#"']+/gi,
+    replacement: `$1${REDACTED}`,
+  },
+]
+
+function redact(value: string): string {
+  return REDACTION_RULES.reduce(
+    (acc, { pattern, replacement }) => acc.replace(pattern, replacement),
+    value
+  )
+}
+
+/**
+ * `before_send` hook that strips credentials from $exception event text before
+ * it leaves the browser, so raw error messages/stacks can't leak secrets to
+ * PostHog. Covers both manual captureException and automatic capture_exceptions.
+ */
+export function sanitizePostHogEvent(
+  event: CaptureResult | null
+): CaptureResult | null {
+  if (!event || event.event !== '$exception') return event
+
+  const props = event.properties
+  if (!props) return event
+
+  if (typeof props.$exception_message === 'string') {
+    props.$exception_message = redact(props.$exception_message)
+  }
+
+  if (Array.isArray(props.$exception_list)) {
+    for (const item of props.$exception_list) {
+      if (item && typeof item.value === 'string') {
+        item.value = redact(item.value)
+      }
+    }
+  }
+
+  return event
+}
diff --git a/tests/unit/posthog-sanitize.test.ts b/tests/unit/posthog-sanitize.test.ts
@@ -0,0 +1,69 @@
+import type { CaptureResult } from 'posthog-js'
+import { describe, expect, it } from 'vitest'
+import { sanitizePostHogEvent } from '@/features/posthog-sanitize'
+
+function exceptionEvent(message: string, listValue?: string): CaptureResult {
+  return {
+    uuid: 'test',
+    event: '$exception',
+    properties: {
+      $exception_message: message,
+      ...(listValue !== undefined
+        ? { $exception_list: [{ type: 'Error', value: listValue }] }
+        : {}),
+    },
+  } as CaptureResult
+}
+
+describe('sanitizePostHogEvent', () => {
+  it('returns null and non-exception events untouched', () => {
+    expect(sanitizePostHogEvent(null)).toBeNull()
+
+    const pageview = {
+      uuid: 'x',
+      event: '$pageview',
+      properties: { $current_url: 'https://app/?token=secret123' },
+    } as CaptureResult
+    expect(sanitizePostHogEvent(pageview)).toBe(pageview)
+    expect(pageview.properties.$current_url).toBe(
+      'https://app/?token=secret123'
+    )
+  })
+
+  it('redacts JWTs in the exception message', () => {
+    const jwt = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NSJ9.s5G_abcDEF-123'
+    const event = sanitizePostHogEvent(
+      exceptionEvent(`Auth failed with ${jwt}`)
+    )
+    expect(event?.properties.$exception_message).toBe(
+      'Auth failed with [redacted]'
+    )
+  })
+
+  it('redacts API-key-like tokens', () => {
+    const event = sanitizePostHogEvent(
+      exceptionEvent('bad key e2b_0123456789abcdef and sk_ABCDEFGHIJ')
+    )
+    expect(event?.properties.$exception_message).toBe(
+      'bad key [redacted] and [redacted]'
+    )
+  })
+
+  it('keeps the key but drops the value of sensitive query params', () => {
+    const event = sanitizePostHogEvent(
+      exceptionEvent('GET /cb?access_token=abc123&page=2 failed')
+    )
+    expect(event?.properties.$exception_message).toBe(
+      'GET /cb?access_token=[redacted]&page=2 failed'
+    )
+  })
+
+  it('redacts values inside $exception_list', () => {
+    const event = sanitizePostHogEvent(
+      exceptionEvent('outer', 'inner secret sk_ABCDEFGHIJ token')
+    )
+    expect(event?.properties.$exception_list[0].value).toBe(
+      'inner secret [redacted] token'
+    )
+  })
+})
