Content Security Policy and ingestion domains

Last updated:

|Edit this page

Using Content Security Policies

NOTE: This only applies to PostHog Cloud.

As described on MDN: Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

If you choose to use a CSP it is important to ensure that PostHog domains are permitted. PostHog is a distributed Cloud service and as such can have different domains that change over time but will always be served from the root domain posthog.com. As such you should add *.posthog.com to your CSP directive.

Domains used by PostHog clients

WARNING: Adding more specific domains is not recommended as we may change target subdomains over time. If you do specify a non-wildcard domain, we cannot guarantee that it will continue to work in the future.

Our client SDKs (where appropriate) will take care of selecting the correct domain. Typically you do not need to be aware of these domains. For example when you specify api_host: "https://app.posthog.com" the SDK will recognize this as a US configuration and make the correct calls to us.i.posthog.com or us-assets.i.posthog.com accordingly.

DomainUsage
us.i.posthog.comUS ingestion endpoint for client SDK API calls
us-assets.i.posthog.comUS CDN for client SDK assets (such as array.js)
eu.i.posthog.comEU ingestion endpoint for client SDK API calls
eu-assets.i.posthog.comEU CDN for client SDK assets (such as array.js)
eu.posthog.comEU PostHog app domain (used by the Toolbar) and also legacy ingestion
us.posthog.comUS PostHog app domain (used by the Toolbar)
app.posthog.comLegacy ingestion endpoint

Questions?

Was this page useful?

Next article

Product analytics for browser extensions

Do you have a Firefox or Chrome browser plugin with a user interface and want to understand how it's being used? PostHog is the perfect way to do just that. Setup for Firefox & Chrome plugins Installing PostHog inside your plugin Open the HTML file used in your default_popup and add the PostHog array.js script. To do this you'll need to either: Copy the latest version of array.js from PostHog's static assets and import it locally using <script src="array.js" /> before the </head> tag…

Read next article