Skip to main content
This feature is currently in public preview and is not recommended for production use.
Domain filtering lets you control which external domains a sandbox can reach. You can define an allowlist (only listed domains are reachable) or a denylist (all domains except listed ones are reachable). Domain filtering and proxy routing are independent configurations — you do not need to duplicate domains across both. A domain can appear in the allowlist without having a proxy routing rule, and vice versa.
Domain filtering relies on the sandbox’s tools and libraries respecting the standard proxy environment variables (HTTP_PROXY, HTTPS_PROXY). Traffic from tools that ignore these variables will not be filtered. Routing-level enforcement is planned for a future release.

Allowlist

Only the listed domains are reachable:

Denylist

All domains except the listed ones are reachable:
When both allowedDomains and forbiddenDomains are set, allowedDomains takes precedence: a domain that appears in both lists will be allowed.

Firewall + proxy combined

Firewall rules and proxy routing compose naturally:
Only api.stripe.com and api.openai.com are reachable. The proxy injects credentials for Stripe requests; OpenAI requests go through unmodified.
Last modified on June 30, 2026