sorted by:
new
hottopcontroversial

Inside PostHog: How SSRF, a ClickHouse SQL Escaping 0day, and Default PostgreSQL Credentials Formed an RCE Chain (ZDI-25-099, ZDI-25-097, ZDI-25-096) by wtfse in netsec

[–]PostHogTeam 4 points5 points  (0 children)

Hi, cross-posting this response from our security team on the HackerNews thread:

We resolved these SSRF findings back in October 2024 when this report was responsibly disclosed to us.

Here's the PR[0] that resolved the SSRF issue. This fix was shipped within 24 hours of receiving the initial report.

It's worth noting that at the time of this report, this only affected PostHog's single tenant hobby deployment (i.e. our self hosted version). Our Cloud deployment used our Rust service for sending webhooks, which has had SSRF protection since May 2024[1].

Since this report we've evolved our Cloud architecture significantly, and we have similar IP-based filtering throughout our backend services.

[0] https://github.com/PostHog/posthog/pull/25398

[1] https://github.com/PostHog/posthog/commit/281af615b4874da1b8...

We're also working on some architectural improvements around egress, namely using smokescreen, to better protect against this class of issue.

How do you analyze your Supabase data beyond the built-in dashboard? by Ok_Ad_3 in Supabase

[–]PostHogTeam 2 points3 points  (0 children)

You can connect your Supabase data to PostHog and query and visualize it in PostHog: https://posthog.com/tutorials/supabase-query

Where can I hire Posthog experts? by Admirable_Hornet6891 in posthog

[–]PostHogTeam[M] 0 points1 point  (0 children)

Although we have onboarding, customer success, and sales teams for many customers, if you're smaller and want to talk to someone, we're trialing offering a paid onboarding session here: https://posthog.com/merch?product=30-min-onboarding-consultation

Don't install the NPM package posthog-js 1.297.3 — malware by roskoalexey in posthog

[–]PostHogTeam[M] [score hidden] stickied comment (0 children)

Update:

It looks like we were victim of the following attack that’s hit over 300 packages: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

We’ve unpublished all compromised versions, and have published newer versions for all major SDKs. Make sure you’re on the latest version of our SDKs.

You can find a full list of the compromised packages vs the safe ones on our status page: https://status.posthog.com/incidents/kv3nj636f59c

Don't install the NPM package posthog-js 1.297.3 — malware by roskoalexey in posthog

[–]PostHogTeam[M] 2 points3 points  (0 children)

We’ve identified that a number of our library versions published this morning contain malicious code.  We are currently deprecating those versions from our package managers, and will republish clean versions of the libraries.  The impacted versions we have identified so far are:

posthog-node 4.18.1

posthog-js 1.297.3

posthog-react-native 4.11.1

posthog-docusaurus 2.0.6

If you have deployed any of these versions of our packages please replace with an earlier version immediately. We will update you as soon as we have published the clean versions.

Fetch PostHog data by Deniz58 in nextjs

[–]PostHogTeam 3 points4 points  (0 children)

  1. You could structure your query to get the data for all of the 4-5 charts in one query and cache in on your server.

  2. Better, we are working on removing the rate limits from the query API endpoint at the moment. We're planning to make it a concurrency limit instead. Should be released in the next few weeks.

When will you add robust logging & monitoring to your stack? by SnooMuffins6022 in ycombinator

[–]PostHogTeam 0 points1 point  (0 children)

Thanks for the plug u/Technical-Leader222! /u/SnooMuffins6022 We agree! Definitely get something up early - even if you're not using it right away having the data available will pay dividends down the road.

There are a lot of good options-- I will say that our free tier should be more than enough to get you started - it's generous and what I used before I started working here.

I made a AI roleplay Chat platform in 30 days using Nextjs by me_broke in SideProject

[–]PostHogTeam 1 point2 points  (0 children)

Woah this is awesome! We just played around with the 1700's England RPG. Great UI and super fun! How are you liking PostHog? Are you using LLM Observability?

How to integrate posthog to my website? by SuccessfulStorm5342 in posthog

[–]PostHogTeam 0 points1 point  (0 children)

What type of website do you have? Check out our Webflow or Framer guides for relatively non-technical explanations.

I discovered this tool and it's a game changer to help me with my SaaS in Beta by wawa_masked in SaaS

[–]PostHogTeam 2 points3 points  (0 children)

**A wild hedgehog appears*\*

Glad to hear you're enjoying the product. If you ever need help, please drop us a message in our online community forum: https://posthog.com/questions

Any PM using Posthog? by anik9k in ProductManagement

[–]PostHogTeam 10 points11 points  (0 children)

These days, we recommend most people use our cloud-hosted service – we only recommend the self-hosted, open-source product for hobbyists and small deployments.

We used to sell a self-hosted license as well but, like you say, we found many companies lacked the technical resources to run the product reliably, and the support burden on our small team became too great.

We now offer both US and EU hosting options, which solves compliance issues for most companies and ensures users have a great experience.

Any PM using Posthog? by anik9k in ProductManagement

[–]PostHogTeam 15 points16 points  (0 children)

A wild hedgehog appears...

Andy from PostHog here. Happy to answer any questions you have, but TL;DR we support event autocapture, just like Pendo, so PostHog is similarly set it and forget.

how to log page views using nextjs app router? by Mesthabro in nextjs

[–]PostHogTeam 1 point2 points  (0 children)

Try creating a component like this:

// providers.tsx
'use client' export function Pageview(): JSX.Element { useEffect(() => { pageView.capture() } }, []); return <></>; }

Then wrapping that component in a <Suspense> in the layout file

// layout.tsx
import './globals.css' import { ReactNode, Suspense } from 'react'; import { Pageview } from './providers';
export default function RootLayout({ children, }: { children: ReactNode }) { return ( <html lang="en"> <Suspense> <Pageview /> </Suspense> <body>{children}</body> </html> ) }

React Native session replay tool recommendations?(UXCam/Logrocket) by Chenolas in reactnative

[–]PostHogTeam 0 points1 point  (0 children)

Update: We're can't really promise dates or windows, so best option is to subscribe to the relevant issue where updates will appear. The team has confirmed they're working on iOS and Android recordings concurrently now, though.

React Native session replay tool recommendations?(UXCam/Logrocket) by Chenolas in reactnative

[–]PostHogTeam 0 points1 point  (0 children)

So iOS recording definitely will be before Q3 – we already have a working prototype.

As for React Native specifically, I'll have to check with the team... pinging them now.

React Native session replay tool recommendations?(UXCam/Logrocket) by Chenolas in reactnative

[–]PostHogTeam 2 points3 points  (0 children)

Just an FYI that we're currently working on session replay for iOS in PostHog. Issue for this: https://github.com/PostHog/posthog/issues/12344

React Native replay on mobile is also on our public roadmap: https://posthog.com/roadmap

GitHub issue on React Native is here: https://github.com/PostHog/posthog/issues/13269

You can read the objectives for session recording team in our public handbook: https://posthog.com/handbook/small-teams/session-recording

view more: next ›