Manual URLs and path rules

Before adding a manual URL

Manual URLs are the fallback for public pages that belong to the project domain but were not found by discovery. They should make the accepted scope more precise, not widen it into private pages, another host, third-party tools or unsafe actions. Use this page after [Supported scopes](/docs/projects/supported-scopes) confirms the target is eligible and [Public-page-only limits](/docs/projects/public-page-only-limits) explains the plan page budget. The example URL `https://shop.example.com/returns` is synthetic; use only customer-approved public URLs in the product.

Add a missing same-domain public URL

Follow the path `Projects → Project detail → Scan scope selection → Add authorized URL → Scope acceptance`.

1. Open /projects and choose the project for the authorized domain. Result: the project detail page shows Scan scope selection and the Add authorized URL field for that project.
2. Check that discovery has already found the main public URL groups. Result: manual URLs are used only for missing pages, not as a shortcut around discovery, plan limits or authorization.
3. In Add authorized URL, enter complete HTTPS URLs such as https://shop.example.com/returns, one per line. Result: the selected scope count includes each manual URL before acceptance.
4. Keep every manual URL on the same project host and inside the public customer journey. Result: the scan boundary does not expand to admin, account, payment-completion, third-party or private pages.
5. Use include paths for public areas that may be scanned and exclude paths for areas that must stay out. Result: the crawler can follow allowed paths while skipped pages have clear reasons.
6. When the manual URLs and path rules look correct, continue to Accepted scan scope. Result: the approval record stores selected groups, manual URLs and path rules before any live audit starts.

Set include and exclude path rules

Path rules are guardrails for discovery and later crawl seeds. They should be easy to explain to a customer or reviewer.

• Include paths are the public areas the scanner may follow, such as `/`, `/products`, `/pricing` or `/checkout-info`.
• Exclude paths are areas that must stay out, such as `/admin`, `/account`, `/login`, `/checkout/complete`, `/internal` or destructive form paths.
• A manual URL still has to pass the same host, public-page and plan-limit checks as discovered pages.
• Excluded paths should explain why a skipped URL was left out instead of silently disappearing from scan evidence.
• If a public journey needs more pages than the plan allows, choose an eligible plan before acceptance instead of adding more manual URLs.

Blocked states

Do not accept scope while manual URL validation is failing.

• Invalid URL means rewrite the value as a complete HTTPS URL, one URL per line.
• Outside domain means remove the URL or create a project for the correct host.
• Private, login-required or admin path means use [Unsupported targets](/docs/projects/unsupported-targets) and keep it out of scope.
• Outside include paths means either update the include path deliberately or remove the URL.
• Excluded path means the page is intentionally skipped and should not be added back through another manual URL.

Continue to accepted scan scope

When every manual URL is public, same-domain, inside include paths, outside exclude paths and within the plan page budget, continue to [Accepted scan scope](/docs/projects/accepted-scan-scope). That page stores the selected groups, manual URLs and path rules as the boundary the live audit must follow.