Network performance recording

Last updated:

|Edit this page

PostHog can capture network requests that occur during the browser session, so you can see if your application is sending the expected requests and response, and check the effect of slow network requests or errors on the user experience.

You can enable network recording from your project settings:

Enable network recording in your PostHog

When enabled PostHog always captures:

When request capture is enabled you can also enabled payload and body capture, this includes:

  • the request method
  • the response code
  • request & response headers (if enabled)
  • request & response body (if enabled)

Sensitive information

We automatically scrub some sensitive information from network headers and payloads, but if your request or response payloads could contain sensitive data, you should provide a function to mask the captured data when you initialize PostHog.

We have a deny-list of headers that we will never capture (even if you provide a masking function).

  • authorization
  • x-forwarded-for
  • authorization
  • cookie
  • set-cookie
  • x-api-key
  • x-real-ip
  • remote-addr
  • forwarded
  • proxy-authorization
  • x-csrf-token
  • x-csrftoken
  • x-xsrf-token

And we redact bodies if we believe they contain

  • credit card numbers
  • social security numbers
  • password
  • secret
  • passwd
  • api_key
  • apikey
  • auth
  • credentials
  • mysql_pwd
  • privatekey
  • private_key
  • token

Note: If you provide a masking function to alter redaction of payloads it entirely replaces PostHog's automatic payload redaction.

How to register a callback to inspect and redact each network request

Web
posthog.init('<ph_project_api_key>', {
session_recording: {
maskCapturedNetworkRequestFn: (request: CapturedNetworkRequest) => {
// For example: ignoring a request entirely
if (request.name.includes('example.com')) {
return null
}
// ... or remove the query string from the URL
request.name = request.name.split('?')[0]
// ...redact the request or response body **however makes sense for your payloads**
request.requestBody = request.requestBody?.replace(/"password":\s*"[^"]*"/g, '"password": "redacted-password"')
request.responseBody = request.responseBody?.replace(/"password":\s*"[^"]*"/g, '"password": "redacted-password"')
// ... or remove the request body
request.requestBody = undefined
// ... and more
// finally return the request
return request
}
}
})

Troubleshooting

Recording from localhost

Due the very high volume of network requests that some tools can make (for example when running hot-reload during development) PostHog does not capture network requests when running on localhost

Requests early in the page lifecycle don't capture all information

PostHog has to wrap fetch and xhr in order to capture network requests. If your application makes network requests before PostHog has had a chance to wrap them, then PostHog will not capture all information about the request.

PostHog truncated the request or response body

In order to maintain service levels we truncate all request and response bodies at 1MB

A network request says it was redacted

We are cautious in what we capture. If you think we're being too cautious you can override the masking function.

I want to query the network performance data I capture

We'd love that too! It's not possible right now but watch this space. You can subscribe for updates in GitHub

Questions?

Was this page useful?

Next article

Mobile session replay

🚧 NOTE: Mobile session replay is currently only available on Android and iOS and is considered beta (and is free while in beta). We are keen to gather as much feedback as possible so if you try this out please let us know. You can send feedback via the in-app support panel or one of our other support options . Mobile session replay enables you to record user sessions in mobile apps. This includes screen recordings, network requests, logs, and touches. This data can then be used to…

Read next article