Fix guide · low · posthog_api_key

PostHog public project key (phc_) in client code

Why it matters

PostHog public keys are designed for client-side use — they identify which project events go to. Bounded risk: attackers can submit fake events, polluting your analytics. Server-side keys (with broader scopes) would be different.

How to fix it

This is not a vulnerability per se. If you want to harden:

1. Use the event ingestion authorization to restrict origins.
2. Don't confuse with personal API keys (phx_*) which DO need to be server-side.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.