langfuse-security-basics

# Langfuse Security Basics ## Overview Security practices for Langfuse LLM observability: credential management, PII scrubbing before tracing, self-hosted hardening, data retention, and secret scanning. ## Prerequisites - Langfuse instance (cloud or self-hosted) - API keys provisioned - Understanding of data privacy requirements (GDPR, SOC2, HIPAA) ## Instructions ### Step 1: Credential Security Langfuse uses two keys with different security profiles: ```typescript // Startup validation -- catch misconfigurations early function validateLangfuseCredentials() { const publicKey = process.env.LANGFUSE_PUBLIC_KEY; const secretKey = process.env.LANGFUSE_SECRET_KEY; if (!publicKey || !secretKey) { throw new Error("LANGFUSE_PUBLIC_KEY and LANGFUSE_SECRET_KEY are required"); } // Catch key swap (common mistake) if (secretKey.startsWith("pk-lf-")) { throw new Error("LANGFUSE_SECRET_KEY contains a public key (pk-lf-). Keys are swapped."); } if (publicKey.startsWith("sk-lf-")) { throw new Error("LANGFUSE_PUBLIC_KEY contains a secret key (sk-lf-). Keys are swapped."); } return { publicKey, secretKey }; } // Use validated credentials const { publicKey, secretKey } = validateLangfuseCredentials(); ``` **Key security rules:** - Public key (`pk-lf-...`): Identifies the project. Safe in client-side code. - Secret key (`sk-lf-...`): Grants write access. **Server-side only.** - Store in environment variables or secret manager -- never in source code. -...