You can restrict access to PostHog by IP by passing
ALLOWED_IP_BLOCKS. This is a comma separated list, and can either be individual IP addresses or subnets. For example:
If you try to access your PostHog instance with a different IP, you will get an error message.
This restriction does not apply to the endpoints used to send events, like
If you're behind a proxy, you need to either set trusted proxies
Or you can implicitly trust all proxies:
TRUST_ALL_PROXIES, make sure your proxy (like NGINX) is setting the header
X-Forwarded-For, like in the example above. If not, it would still be possible to spoof your IP address.
If you're on Heroku, you are behind a proxy by default, so you'll need to add
IS_BEHIND_PROXY=True. Heroku automatically overrides
X-Forwarded-For, so you can use
Secret keys are used to encrypt cookies and password reset emails, among other things. To generate a secret key, run:
openssl rand -hex 32