Domain Whitelist
The domain whitelist is a security feature that ensures Recapt only accepts data from your authorized domains. This prevents unauthorized websites from sending data to your account.
Why Whitelist Domains?
- Security: Prevents malicious actors from sending fake session data
- Data Integrity: Ensures all recorded sessions are from your actual websites
- Cost Control: Avoids unexpected usage from unauthorized sources
Adding Domains
During Installation
- Navigate to Installation in your Recapt dashboard
- In Step 2 (Domain Settings), enter your domain
- Click Add Domain
- Repeat for additional domains
In Settings
- Go to Settings > Whitelist Domains
- Enter the domain name in the input field
- Click Add Domain
Domain Format
Enter domains without the protocol (http:// or https://):
| Correct | Incorrect |
|---|---|
example.com | https://example.com |
app.example.com | http://app.example.com |
www.example.com | www.example.com/path |
Common Domain Configurations
Single Domain Website
If your website runs on one domain:
example.com
With WWW Subdomain
If users access your site with and without www:
example.com
www.example.com
Multiple Subdomains
For applications with multiple subdomains:
example.com
app.example.com
dashboard.example.com
admin.example.com
Staging and Production
For different environments:
example.com
staging.example.com
dev.example.com
You can use the same API key across all your domains, or create separate API keys for different environments.
Wildcard Domains
Currently, Recapt does not support wildcard domains (e.g., *.example.com). You must add each subdomain individually.
Localhost Development
By default, localhost is not whitelisted. To enable recording during development:
- Go to Settings > Organization
- Toggle Localhost to enabled
This allows requests from:
localhost127.0.0.1- Any localhost port (e.g.,
localhost:3000)
We recommend keeping localhost disabled in production. Only enable it during active development to avoid recording unwanted test sessions.
Managing Domains
Viewing Whitelisted Domains
- Go to Settings > Whitelist Domains
- All your whitelisted domains are displayed in the table
Removing a Domain
- Go to Settings > Whitelist Domains
- Find the domain you want to remove
- Click the trash icon next to the domain
- Confirm the removal
Removing a domain immediately stops Recapt from accepting data from that domain. Make sure you've removed the Recapt script from the domain before removing it from the whitelist.
Troubleshooting
Sessions Not Recording
If sessions aren't appearing in your dashboard:
- Check the domain is whitelisted: Verify the exact domain (including subdomains) is in your whitelist
- Check for typos: Ensure the domain is spelled correctly
- Check localhost setting: If testing locally, ensure localhost is enabled
- Check the browser console: Look for any error messages from Recapt
CORS Errors
If you see CORS-related errors:
- Verify the domain making requests matches a whitelisted domain exactly
- Check that you're not including the protocol in the whitelist
- Ensure subdomains are added separately
Best Practices
- Add all environments: Include production, staging, and development domains
- Be specific: Add exact subdomains rather than relying on the main domain
- Regular audits: Periodically review your whitelist and remove unused domains
- Test after changes: Verify recording works after modifying the whitelist