What is PostHog Autocapture and what events does it capture automatically?

PostHog Autocapture automatically tracks clicks, form submissions, page views, and input changes without requiring manual event instrumentation. It is designed to provide immediate analytics coverage while a team builds out a deliberate custom event taxonomy.

How do you set up a reverse proxy for PostHog Autocapture?

A reverse proxy routes PostHog tracking calls through your own domain (e.g., /ingest) instead of directly to app.posthog.com, bypassing ad blockers and third-party cookie restrictions. Setup requires a CDN or server-level redirect rule pointing to the PostHog ingest endpoint.

What are Autocapture exceptions and when should they be used?

Autocapture exceptions are CSS selectors or element patterns that tell PostHog to ignore specific UI elements. They should be used to exclude highly dynamic elements like drag-and-drop interfaces, autocomplete dropdowns, or any field that might capture PII.

What are the limitations of relying solely on PostHog Autocapture for product analytics?

Autocapture captures UI interactions but cannot capture backend events, business logic milestones, or meaning — only that an element was clicked, not what the user intended. Custom events are always needed alongside Autocapture to measure activation milestones and business outcomes.

How should teams handle PII in PostHog Autocapture implementations?

Teams should configure Autocapture to mask or exclude form inputs, use the autocapture exceptions list for sensitive fields, and review the PostHog data model regularly to confirm that no personally identifiable information is being stored in event properties or person records.

PostHog Autocapture Setup: The Technical Implementation Guide

TL;DR

Data Accuracy: Implement a Reverse Proxy to ensure 100% data capture by bypassing client-side ad-blockers.
Autocapture Exceptions: Use autocapture_exceptions to filter noisy interactions (e.g., menu clicks) and protect sensitive PII.
Identity Lifecycle: Call posthog.identify() on login to merge anonymous browser history with known database profiles.
Group Analytics: Essential for B2B. Use posthog.group() to aggregate behavioral health at the account level.
Hybrid Strategy: Use Autocapture for discovery; use Custom Events for decision-critical milestones (e.g., form_published).

Tracking Types: Autocapture vs. Custom Events — A hybrid tracking approach: using autocapture for speed and custom events for precision.

1. Ensuring 100% Data Accuracy: The Reverse Proxy

The biggest threat to modern analytics is not "Missing Tags," but Ad-Blockers. Up to 40% of technical users (your primary ICP) run browser extensions that block requests to app.posthog.com. This makes your attribution and churn data statistically unreliable.

At ProductQuant, we enforce a Reverse Proxy standard for all implementations. By routing PostHog traffic through your own subdomain (e.g., analytics.app.com), the requests look like first-party data. This bypasses ad-blockers and ensures that your retention cohorts reflect the real behavior of 100% of your users. If you want these standards applied from day one rather than retrofitted later, our PostHog consulting work covers the full technical setup.

// Initialize with Reverse Proxy
posthog.init('', {
  api_host: 'https://analytics.yourdomain.com', // Your proxy address
  ui_host: 'https://app.posthog.com',
  autocapture: true
});
        

2. Noise Control: Configuring Autocapture Exceptions

By default, PostHog captures everything. For B2B SaaS, this leads to a "Leaky Bucket" of event noise. You must use autocapture_exceptions to maintain analytical clarity.

The 'Tagged-Only' Strategy

Instead of tracking every div, we recommend an Opt-In Autocapture model. Configure PostHog to only capture clicks on elements that have a specific data attribute (e.g., data-ph-capture). This gives your product team the speed of discovery with the discipline of a tracking plan.

posthog.init('', {
  autocapture: {
    url_allowlist: [/\/dashboard/, /\/settings/],
    dom_event_allowlist: ['click'],
    css_selector_allowlist: ['[data-ph-capture]']
  }
});
        

"Autocapture is for discovery. Custom events are for decisions. If your churn model depends on an Autocaptured click, it will break the moment a developer updates the CSS. Use Autocapture to identify what should be a custom event."
— Jake McMahon, ProductQuant

3. Identity Resolution: From Anonymous to Known

User identification is the most critical step in growth engineering. It tells you Who performed the action. We use a three-stage identity lifecycle.

Stage	Technical Action	The Value
Anonymous	Initial Landing	Capture UTM source and referrer.
Identified	posthog.identify()	Merge history with database ID on login.
Grouped	posthog.group()	Associate user with their B2B Organization.

The 'Post-Login' Identity Merge

Call posthog.identify() immediately upon login or signup. PostHog will automatically merge the anonymous browser history (and UTM data) with the new known profile. This is how you prove that a specific ad campaign produced a retained Enterprise account.

4. Data Privacy and Redaction

For regulated industries like healthcare, Autocapture is a risk. You must implement strict redaction rules to ensure PII (Personally Identifiable Information) never touches your analytics server.

Redact all inputs: Set mask_all_element_attributes: true by default.
Selective Capture: Only "Opt-In" to specific properties that are safe for analysis (e.g., form_type or plan_tier).
Private Cloud: For 100% data sovereignty, deploy PostHog in your own VPC to ensure data never leaves your compliance boundary.

90% Cost Reduction

By cleaning up noisy autocapture events and focusing on 20 high-value custom milestones, we helped a client reduce their PostHog bill by 90% while increasing their analytical velocity.

FAQ

Does PostHog Autocapture slow down my app?

Minimally. PostHog uses an optimized event listener. However, if you have thousands of DOM elements, use a url_allowlist to disable capture on high-traffic, low-value pages like your public blog or landing page.

How do I handle Single Page Applications (SPA)?

PostHog automatically listens for popstate and pushState events. However, for 100% reliability, we recommend manually calling posthog.capture('$pageview') on your router's navigation hook to ensure the initial_utm_source is correctly attributed.

Can we use PostHog for HIPAA compliance?

Yes, but you must use the Self-Hosted or Private Cloud options and sign a BAA. You must also implement the server-side redaction rules mentioned above to protect Patient Health Information (PHI).

Sources

About the Author

Jake McMahon is a PLG & GTM Growth Consultant who has led 100+ PostHog implementations for Series A-C SaaS companies. He specializes in technical data hygiene, reverse proxy architecture, and connecting behavioral telemetry to revenue outcomes.

Learn More Work with Jake