From 8ac8562b882b804fcb5ab5d70584fb754e47cef2 Mon Sep 17 00:00:00 2001 From: ablaszkiewicz Date: Tue, 23 Jun 2026 14:11:49 +0200 Subject: [PATCH 1/2] docs: document automatic secret detection for Python code variables Add a concise section covering the entropy-based `code_variables_detect_secrets` option (default on) and its per-context override. Co-Authored-By: Claude Opus 4.8 --- .../error-tracking/code-variables/python.mdx | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/contents/docs/error-tracking/code-variables/python.mdx b/contents/docs/error-tracking/code-variables/python.mdx index 55975e0dd90d..b556c332700b 100644 --- a/contents/docs/error-tracking/code-variables/python.mdx +++ b/contents/docs/error-tracking/code-variables/python.mdx @@ -87,6 +87,29 @@ with new_context(): mask_patterns_will_only_apply_to_this_method() ``` +### Detecting secrets automatically + +As a last resort, the SDK also scans captured variable *values* for high-entropy secrets that name-based masking misses — API keys, tokens, and strong passwords in innocuously-named variables — and replaces them with `***`. It recognizes common key formats (OpenAI, Anthropic, AWS, Stripe, GitHub, and more) and random high-entropy strings, while leaving identifiers like UUIDs, hashes, file paths, and URLs untouched. + +This is enabled by default. To disable it globally: + +```python +posthog = Posthog( + "", + enable_exception_autocapture=True, + capture_exception_code_variables=True, + code_variables_detect_secrets=False, +) +``` + +Or for a specific code block using contexts: + +```python +with new_context(): + set_code_variables_detect_secrets_context(False) + detection_disabled_only_here() +``` + ### Ignoring variables Variable names matching ignore patterns are not captured at all. This is useful for excluding internal variables, temporary data, or framework-specific variables that don't provide debugging value. From d500a37cf69bdc3abdd30162538342d2c5fcc35b Mon Sep 17 00:00:00 2001 From: ablaszkiewicz Date: Tue, 23 Jun 2026 16:03:54 +0200 Subject: [PATCH 2/2] docs: document connection string credential masking for Python code variables Add a concise section covering code_variables_mask_url_credentials (default on): how it works (scrub credentials, keep scheme/host/path), and how to disable it globally or per-context. Co-Authored-By: Claude Opus 4.8 --- .../error-tracking/code-variables/python.mdx | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/contents/docs/error-tracking/code-variables/python.mdx b/contents/docs/error-tracking/code-variables/python.mdx index b556c332700b..12d313dabf5b 100644 --- a/contents/docs/error-tracking/code-variables/python.mdx +++ b/contents/docs/error-tracking/code-variables/python.mdx @@ -110,6 +110,34 @@ with new_context(): detection_disabled_only_here() ``` +### Masking connection string credentials + +Credentials embedded in connection strings and URLs are scrubbed automatically, regardless of the variable name. Only the credentials are replaced — the scheme, host, and path are kept so the value stays useful for debugging: + +``` +postgresql://user:password@db.example.com:5432/mydb +→ postgresql://***@db.example.com:5432/mydb +``` + +This is enabled by default. To disable it globally: + +```python +posthog = Posthog( + "", + enable_exception_autocapture=True, + capture_exception_code_variables=True, + code_variables_mask_url_credentials=False, +) +``` + +Or for a specific code block using contexts: + +```python +with new_context(): + set_code_variables_mask_url_credentials_context(False) + masking_disabled_only_here() +``` + ### Ignoring variables Variable names matching ignore patterns are not captured at all. This is useful for excluding internal variables, temporary data, or framework-specific variables that don't provide debugging value.