Capturing pages (incl. behind a login)
Capture any URL in a real browser, record authenticated flows, and how the credential vault protects secrets.
Letting Harpoon capture for you#
Instead of exporting a HAR by hand, Harpoon can drive a real headless Chromium at your URL, record the load, and analyze it in one step. For pages behind a login, record the sign-in flow once in the live recorder (or import a session), save it as a flow, and Harpoon replays it on demand — and on a schedule via monitors.
URL capture is a Patrol-plan feature; authenticated flows and the credential vault are Fleet — see the plan matrix.
The credential vault#
- Secrets (passwords, TOTP seeds) are encrypted with AES-256-GCM before they're stored.
- They are write-only: used during a replay, but never returned by any API, shown in any UI, or written to any log — you can only overwrite or delete them.
- Captured HARs are redacted before storage, and a secret-leak guard scans the capture output so vault values can't end up inside the recording itself.
Why some URLs are refused#
The capture browser runs inside Harpoon's infrastructure, so it refuses to visit anything that isn't the public web: localhost, private-network ranges, link-local addresses, and cloud metadata endpoints. That check runs before navigation and on every hop after it — a redirect, sub-resource, or in-page navigation to an internal address is aborted mid-flight.
Containment & limits#
- The browser runs as an unprivileged user with Chromium's own sandbox enabled (deployment-controlled via
CAPTURE_SANDBOX). - Concurrent captures are capped per deployment (
CAPTURE_MAX_BROWSERS, default 6) with a per-renderer memory ceiling, so a burst can't take the service down. - Live recorder sessions time out after 3 minutes idle and 15 minutes total.
The full containment write-up lives in Security & your data.