Breadcrumbs

Managing Allowed URLs for Recording in Leapwork Performance

Allowed URLs lets administrators define which web addresses their team is permitted to record in Leapwork Performance.

This is an important security and governance control. When the policy is enabled, admins decide which networks and systems the team can record from and execute against. That helps prevent accidental recording or load testing against unauthorized environments, third-party systems, or non-approved domains.

Why this matters

  • It gives admins control over the network boundary for recording and testing.

  • It limits recording and execution to approved HTTP/HTTPS hosts.

  • It reduces the risk of capturing traffic from the wrong environment.

  • It supports enterprise governance and compliance requirements.

Before you start

  • You need an admin-capable role to manage the policy.

  • Decide which environments should be approved, such as staging, pre-production, or other authorized targets.

  • Only add URLs for systems your organization owns or is explicitly authorized to test.

How to manage Allowed URLs

  1. Open Settings in Leapwork Performance.

  2. Go to Policy Configuration > Allowed URLs.

  3. Turn on Enforce Allowlist to restrict recording and execution to approved URLs only.

  4. Add the URLs your team is allowed to use.

  5. Review the list to confirm it contains only approved hosts and environments.

  6. Update the list whenever your approved test landscape changes.

What users will experience when the policy is enabled

  • Users can only start recording for URLs that admins have added to the allowed list.

  • The All URLs option is no longer available.

  • If no allowed URLs are defined, recording cannot start until an admin adds one or more approved URLs.

  • Non-admin users can view the allowed list, but they cannot change the policy or edit the entries.

  • Start by allowing only non-production or otherwise approved test environments.

  • Keep the list as small as practical.

  • Review the list regularly and remove URLs that are no longer needed.

  • Align the list with your internal access, security, and change-management processes.

Outcome

With Allowed URLs in place, administrators stay in control of which systems can be recorded and used for API and load testing in Leapwork Performance. This creates a safer and more predictable operating model for teams that need to record traffic while staying inside approved security boundaries.