What is PostHog Autocapture and what events does it capture automatically?

PostHog Autocapture automatically tracks clicks, form submissions, page views, and input changes without requiring manual event instrumentation. It is designed to provide immediate analytics coverage while a team builds out a deliberate custom event taxonomy.

How do you set up a reverse proxy for PostHog Autocapture?

A reverse proxy routes PostHog tracking calls through your own domain (e.g., /ingest) instead of directly to app.posthog.com, bypassing ad blockers and third-party cookie restrictions. Setup requires a CDN or server-level redirect rule pointing to the PostHog ingest endpoint.

What are Autocapture exceptions and when should they be used?

Autocapture exceptions are CSS selectors or element patterns that tell PostHog to ignore specific UI elements. They should be used to exclude highly dynamic elements like drag-and-drop interfaces, autocomplete dropdowns, or any field that might capture PII.

What are the limitations of relying solely on PostHog Autocapture for product analytics?

Autocapture captures UI interactions but cannot capture backend events, business logic milestones, or meaning — only that an element was clicked, not what the user intended. Custom events are always needed alongside Autocapture to measure activation milestones and business outcomes.

How should teams handle PII in PostHog Autocapture implementations?

Teams should configure Autocapture to mask or exclude form inputs, use the autocapture exceptions list for sensitive fields, and review the PostHog data model regularly to confirm that no personally identifiable information is being stored in event properties or person records.

PostHog Autocapture Setup: The Technical Implementation Guide

TL;DR

Data Accuracy: Implement a Reverse Proxy to ensure 100% data capture by bypassing client-side ad-blockers.
Autocapture Exceptions: Use `autocapture_exceptions` to filter noisy interactions (e.g., menu clicks) and protect sensitive PII.
Identity Lifecycle: Call `posthog.identify()` on login to merge anonymous browser history with known database profiles.
Group Analytics: Essential for B2B. Use `posthog.group()` to aggregate behavioral health at the account level.
Hybrid Strategy: Use Autocapture for discovery; use Custom Events for decision-critical milestones (e.g., `form_published`).

1. Ensuring 100% Data Accuracy: The Reverse Proxy

The biggest threat to modern analytics is not "Missing Tags," but **Ad-Blockers**. Up to 40% of technical users (your primary ICP) run browser extensions that block requests to `app.posthog.com`. This makes your attribution and churn data statistically unreliable.

At ProductQuant, we enforce a **Reverse Proxy** standard for all implementations. By routing PostHog traffic through your own subdomain (e.g., `analytics.app.com`), the requests look like first-party data. This bypasses ad-blockers and ensures that your retention cohorts reflect the real behavior of 100% of your users.

// Initialize with Reverse Proxy
posthog.init('', {
  api_host: 'https://analytics.yourdomain.com', // Your proxy address
  ui_host: 'https://app.posthog.com',
  autocapture: true
});
        

2. Noise Control: Configuring Autocapture Exceptions

By default, PostHog captures everything. For B2B SaaS, this leads to a "Leaky Bucket" of event noise. You must use `autocapture_exceptions` to maintain analytical clarity.

The 'Tagged-Only' Strategy

Instead of tracking every div, we recommend an **Opt-In Autocapture** model. Configure PostHog to only capture clicks on elements that have a specific data attribute (e.g., `data-ph-capture`). This gives your product team the speed of discovery with the discipline of a tracking plan.

posthog.init('', {
  autocapture: {
    url_allowlist: [/\/dashboard/, /\/settings/],
    dom_event_allowlist: ['click'],
    css_selector_allowlist: ['[data-ph-capture]']
  }
});
        

"Autocapture is for discovery. Custom events are for decisions. If your churn model depends on an Autocaptured click, it will break the moment a developer updates the CSS. Use Autocapture to identify what *should* be a custom event."
— Jake McMahon, ProductQuant

3. Identity Resolution: From Anonymous to Known

User identification is the most critical step in growth engineering. It tells you **Who** performed the action. We use a three-stage identity lifecycle.

Stage	Technical Action	The Value
Anonymous	Initial Landing	Capture UTM source and referrer.
Identified	`posthog.identify()`	Merge history with database ID on login.
Grouped	`posthog.group()`	Associate user with their B2B Organization.

The 'Post-Login' Identity Merge

Call `posthog.identify()` immediately upon login or signup. PostHog will automatically merge the anonymous browser history (and UTM data) with the new known profile. This is how you prove that a specific ad campaign produced a retained Enterprise account.

4. Data Privacy and Redaction

For regulated industries like healthcare (FormDR), Autocapture is a risk. You must implement strict redaction rules to ensure PII (Personally Identifiable Information) never touches your analytics server.

Redact all inputs: Set `mask_all_element_attributes: true` by default.
Selective Capture: Only "Opt-In" to specific properties that are safe for analysis (e.g., `form_type` or `plan_tier`).
Private Cloud: For 100% data sovereignty, deploy PostHog in your own VPC to ensure data never leaves your compliance boundary.

90% Cost Reduction

By cleaning up noisy autocapture events and focusing on 20 high-value custom milestones, we helped a client reduce their PostHog bill by 90% while increasing their analytical velocity.

FAQ

Does PostHog Autocapture slow down my app?

Minimally. PostHog uses an optimized event listener. However, if you have thousands of DOM elements, use a `url_allowlist` to disable capture on high-traffic, low-value pages like your public blog or landing page.

How do I handle Single Page Applications (SPA)?

PostHog automatically listens for `popstate` and `pushState` events. However, for 100% reliability, we recommend manually calling `posthog.capture('$pageview')` on your router's navigation hook to ensure the `initial_utm_source` is correctly attributed.

Can we use PostHog for HIPAA compliance?

Yes, but you must use the **Self-Hosted** or **Private Cloud** options and sign a BAA. You must also implement the server-side redaction rules mentioned above to protect Patient Health Information (PHI).

Sources

About the Author

Jake McMahon is a PLG & GTM Growth Consultant who has led 100+ PostHog implementations for Series A-C SaaS companies. He specializes in technical data hygiene, reverse proxy architecture, and connecting behavioral telemetry to revenue outcomes.

Learn More Work with Jake