Overview
Heap’s Capture Controls provide a simple user interface for you to control which sites and/or pages that data is collected from, without needing to write code.
You can view the Capture Controls for your Heap account by navigating to Account > Manage > Privacy & security.

Notes:
- These settings are applied on a per environment basis. This means settings from one Heap environment do not carry over to another.
- These settings are only applicable to Heap data analytics data collection. For an overview of the privacy settings specific to Session replay, see Session replay privacy settings.
- These settings are only applicable to data collected utilizing the Heap web JavaScript SDK.
- Block and Allow are mutually exclusive functionality. Review your data collection strategy to determine which works best for you.
- Sites and pages requiring data collection must still have the Heap web JavaScript SDK client installed.
Capture All Data
By default, Capture will be selected in the Capture Controls. Heap will autocapture data on any page where the Heap SDK is installed. For an overview of Heap’s data model, see Autocaptured Data.
Block Data Capture
You can block data from being collected on a site or page by selecting the Block radio option in the panel.
This is useful if there are parts of your app, such as an internal testing subdomain, that you don’t want data collected from. Think of this selection as a blocklist that you can control from the Heap app, without using code.
Once this radio option is selected, a textbox will appear. You can input up to 100 different entries within this textbox. In order to add an entry, click inside the box, type the domain, subdomain, and/or pages you wish to block, and then press Enter or Comma on your keyboard.

The entry will then display in the text box. Additional pages can be added by repeating this process. When finished, click the Save button at the bottom of the form.
It will take between 30 seconds and 1 minute for new settings to be applied and to take effect.
Allow Data Capture
You can choose to only allow data collection from specific sites or pages by selecting the Allow radio option in the panel. This option will prevent data from being captured from any location that is not specified.
This is useful if you are concerned about data integrity and want to ensure bad actors have not set up duplicate versions of your app that could possibly send invalid data (such as fake data generated by bots) to your Heap account. Think of this selection as an allowlist that you can control from the Heap app, without using code.
Once this radio option is selected, a textbox will appear. You can input up to 100 different entries within this textbox. In order to add an entry, click inside the box, type the domain, subdomain, and/or pages you wish to block, and then press Enter or Comma on your keyboard.

The entry will then display in the text box. Additional pages can be added by repeating this process. When finished, click the Save button at the bottom of the form.
It will take between 30 seconds and 1 minute for new settings to be applied and to take effect.
Syntax Rules
You can specify many different combinations of domains, subdomains, and/or pages within either the Blocklist or Allowlist using flexible syntax rules.
Domains
- Entering a full domain, such as
heap.io
will target all data on that domain and any subsequent paths and pages. For example, in this scenario, entering heap.io will target the root domain as well asheap.io/page1
- Entering a full domain does not target subdomains. For example, entering
heap.io
in the blocklist will not prevent data from being collected oncommunity.heap.io
. - In order to target a single subdomain, enter it into the textbox.
Wildcards
- If you wish to target all subdomains, use a wildcard asterisk followed by the root domain. For example,
*.heap.io
would target allheap.io
subdomains includingcommunity.heap.io
andhelp.heap.io
. - Wildcard asterisks can also be added within a URL string to target any page which matches a specific url pattern. For example, if you wanted prevent data from being collected within the admin section of your app, you can enter
heap.io/admin/*
which would target any url pattern which contains that string. - Only one wildcard asterisk can be used within a single entry. For example,
heap.io/*/admin/*
is not a valid entry.
URLs
- URLs with trailing slashes are stripped and evaluated the same as those without. For example, entering
heap.io/
will be updated and evaluated the same as enteringheap.io
without a trailing slash - URLs containing either
https
orhttp
will have the protocol stripped and evaluated as the same. For example, enteringhttps://heap.io
andhttp://heap.io
will result in an entry ofheap.io
, which will be applied regardless of whether anhttps
orhttp
protocol is being used on your app.