Company logoHelp Center
Visit www.honorlock.com

Whitelisting and Content Security Policy (CSP) Requirements

4 min. readlast update: 02.11.2026

To ensure a seamless and secure proctoring experience, Honorlock requires specific network configurations. If your organization utilizes strict firewalls or a Content Security Policy (CSP), the following domains, ports, and protocols must be allowed to prevent service interruptions, such as failed video streams or disconnected sessions.

Core Application Domains

These domains host the primary Honorlock application, proctoring tools, and exam taker readiness tools. They are the primary endpoints for the Honorlock platform.

  • Domains: honorlock.com, *.honorlock.com, honorlock.kb.help, prep.honorlock.com.

  • Requirements: HTTPS access on Port 443.

  • Context: These endpoints are essential for exam takers to launch exams and access our Honorlock Help Center.

Real-Time Communication

Honorlock uses persistent WebSocket connections to facilitate instant communication between the exam taker's browser and our proctoring team. This infrastructure allows proctors to "pop-in" to a session or provide live chat support if an issue is detected .

 

Service

Domains to Allow

Purpose

Pusher

*.pusher.com, *.pusherapp.com, js.pusher.com, sockjs.pusherapp.com
Reference docs

Real-time signaling and chat transport .

Ably

rest.ably.io, realtime.ably.io, *.ably-realtime.com, internet-up.ably-realtime.com
Reference docs

High-reliability data synchronization and telemetry .

 

  • Pusher Requirements: Secure WebSocket connections (WSS) on Port 443. Pusher also utilizes a "SockJS" fallback that requires wildcard authorization for its subdomains .

  • Ably Requirements: Secure connections on Port 443. Ably's SDK performs a heartbeat check against internet-up.ably-realtime.com to verify connectivity .

Video Infrastructure

Honorlock captures and streams the exam taker’s webcam, audio, and screen to our secure servers. This requires specific port ranges to be open for WebRTC media exchange .

 

Service

Domains to Allow

Port & Protocol

100ms

*.100ms.live, *.hms.live, api.100ms.live
Reference docs

UDP 41000-65535 (Media), TCP 80/443 (Signaling).

Twilio

global.vss.twilio.com, global.turn.twilio.com, eventgw.twilio.com
Reference docs

UDP 10000-60000 (Media), TCP/UDP 3478 (STUN/TURN).

 

  • 100ms Context: This is our primary live video provider. In restricted environments, we recommend allowlisting their EU, US, and IN TURN server IPs to prevent exam takers from being "kicked out" of rooms due to firewall restrictions .

  • Twilio Context: Used for established media recording and composition. We recommend URL-based whitelisting over static IPs, as Twilio media server IPs are elastic and can change .

Google Infrastructure

The Honorlock interface and instructional materials leverage several Google services to ensure consistent rendering and functionality across all user devices .

  1. fonts.googleapis.com & fonts.gstatic.com: Used for rendering the system fonts used in the proctoring interface .

  2. ajax.googleapis.com: Loads essential JavaScript libraries required for the Honorlock platform's logic.

  3. www.gstatic.com & ssl.gstatic.com: Used to deliver static content, including interface scripts and icons .

  4. www.googleapis.com: Facilitates API coordination and general service authentication .

Asset Delivery and Monitoring

These services ensure that our UI components are delivered from the edge location nearest to the exam taker and that technical errors are caught in real-time.

 

Service

Domains to Allow

Purpose

AWS S3 & CloudFront

*.cloudfront.net, *.s3.amazonaws.com

Global distribution of proctoring assets and recording storage .

Sentry

*.ingest.sentry.io, browser.sentry-cdn.com
Reference docs

Real-time error tracking and performance observability.

Unpkg

unpkg.com

For delivering Honorlock Integration SDK, and Moodle Integration SDK.

 

  • AWS Context: CloudFront serves as our Content Delivery Network (CDN) for all static assets. Recordings are uploaded directly to secured S3 buckets; if access is restricted, exam recordings may fail to save .

  • Sentry Context: Sentry allows our engineering team to diagnose issues that occur in the exam taker's browser. It requires the connect-src directive in your CSP to permit data ingestion .

Digital Experience and Analytics

We use behavioral analytics to understand how exam takers navigate the proctoring launch process and to identify usability friction.

  • Hotjar: *.hotjar.com, *.hotjar.io, insights.hotjar.com. Used for exam taker feedback surveys and heatmaps .

  • Contentsquare: *.contentsquare.net, *.contentsquare.com, t.contentsquare.net. Used for deep behavioral analysis and session replays.

Content Security Policy (CSP)

If your organization enforces a Content Security Policy, please update your headers to include the following sources for each fetch directive:

CSP Directive

Required Sources

script-src

*.honorlock.com, js.pusher.com, t.contentsquare.net, ajax.googleapis.com, browser.sentry-cdn.com

connect-src

*.honorlock.com, wss://*.pusher.com, wss://realtime.ably.io, https://*.ingest.sentry.io, *.100ms.live, *.googleapis.com

font-src

*.honorlock.com, fonts.gstatic.com, data:

img-src

*.honorlock.com, *.contentsquare.net, *.s3.amazonaws.com, *.gstatic.com, data:

frame-src

*.honorlock.com, *.google.com (for support tools)

Recommendation: We highly suggest deploying these changes in Report-Only mode initially. This allows your IT team to monitor for any violations before moving to full enforcement .

 

Was this article helpful?
Contact Support