Live website testing with Maze allows your team to run usability tests to understand how users are interacting with your live websites.
In this article:
- Before you start
- Who can use this feature
- Install the Maze tracking code on your website
- How to create a live website test in Maze
- Results & Reports
- Security and performance
Before you start
- For security reasons, your team can only test websites in which your unique code snippet is installed. You won't be able to test websites where your code snippet is not installed. Learn how to install the Maze code on your website
- In-page events/interactions (e.g. clicking a toggle) are not captured as steps in the path. The URL must change between different screens for the test to be meaningful. Why do I see a "We didn't detect any clicks on this page" when creating a path?
- The test experience must take place on a single tab. At the moment, the ability to test websites that open a new tab or window (even if those locations also have the snippet installed) is not supported.
- Native mobile app testing is not currently supported. Learn how you can test on mobile devices
- There are currently some limitations around displaying results data for website testing. Learn more
Who can use this feature?
Live website testing is available for users on all plans.
Install the Maze tracking code on your website
In order to enable usability testing on your live website, you’ll need to install a unique code snippet that enables this feature to run on your website.
You’ll also be prompted to follow these steps from your draft maze if you haven’t added the code to your URL’s domain yet when creating a live website testing block.
How to create a live website test in Maze
To create a live website test:
- Add a live website testing block to your maze
- Enter the starting URL
- Set the device type
- Define paths
- Screenshot anonymization options
- Enable Clips
- Add more blocks (if needed) and publish your maze
- Hiring testers from the maze panel
Add a live website testing block
- Open a draft maze.
- Click Add block, then select Live website test.
- Enter the task title and an optional description. Learn best practices for writing tester prompts
You can test websites in any region and language. However, at the moment, the task interface for website testing blocks will only display in English.
Enter the starting URL
Paste the URL of your website and click Set up. Wait a few moments until we verify that the Maze tracking code is correctly installed on the website.
- The URL you paste will be the starting page/screen of your test.
- The URL must include a valid scheme (e.g.
- A small floating window will open with a preview of your website. Please don't close this window; this is an important step for Maze to detect whether the snippet is working correctly on your website.
Set the device type
Select the Device type to determine the resolution in which your live website should be opened.
- Desktop: Your website window will open on a desktop resolution (1024px). Testers on smaller screens, such as mobile devices, won’t be able to open the maze at all — in those cases, they’ll see a “This page needs a larger screen” error.
- Mobile: Your website window will open on a mobile resolution (420px). Testers on a desktop will still be able to open the maze; the live website window will simply open on a mobile resolution.
Define paths (optional)
Paths are the baseline for measuring the success of a mission. If you set a path, Maze will automatically categorize each test as Direct Success, Indirect Success, or Mission Unfinished.
Unlike prototype tests, you don't have to pre-define paths when setting up a website test.
Without defining a path, it's not possible for Maze to establish whether each tester path was successful. As a result, tester paths will appear in the results as Uncategorized. Why are some paths marked as "Uncategorized"?
Please note that in-page events/interactions (e.g. clicking a toggle) are not captured as steps in the path. The URL must change between different screens for the test to be meaningful. Why do I see a "We didn't detect any clicks on this page" when creating a path?
To set up a path on your website test:
- In your draft maze, add a website block.
- To start creating your paths, click Create path. A floating window will open with a preview of your website. Avoid opening the task window in a new tab and/or in full screen, as it may exceed the maximum window dimension and trigger a "Window size too large" error. Learn more about device resolution in website tests
- Click through the website to define the path you expect the testers to take in order to complete the task. At the moment, each page change or parameter change counts as a screen in the path. Learn more about paths
- To add more paths, click + Add new path.
- Once you’re done, click Save and close to save the paths and go back to the draft maze.
When testing on a live website, you may be collecting personally identifiable information (PII) from your testers. For instance, if you ask users to log in to their account as part of your test, the screenshots on your Results dashboard may include anything they’ve entered when logging in, as well as any data on their personal area.
At the block level
When creating a website test, you’ll need to select how text should be displayed in the screenshots on your results page.
- Strict: Hides all text, both in the UI and anything entered in input boxes. The results page will show only the visual elements.
- Balanced: Hides anything entered in input boxes, as well as numbers and email addresses. Generally, this is the option we’d generally recommend, as it allows you to protect your testers’ sensitive data while still being able to see the UI.
- Relaxed: Shows all text, both in the UI and anything entered in input boxes.
Please be mindful that, if you enable Clips, the recording will show all information on the screen — Clips recordings are not anonymized.
Masking/unmasking content by default
You can also add an extra layer of security and mask/reveal certain content globally, regardless of the chosen setting in Maze.
To do so, add one of the following attributes to the relevant HTML blocks:
Adding these attributes will either mask or unmask the content of an HTML element in the maze results. These attributes override the anonymization settings set at the block level. For instance:
- If you add
data-maze-mask="True"as an attribute to an HTML element, the content is always hidden (i.e. strict anonymization) in the results, even with the anonymization setting of the block set to "Relaxed".
data-maze-unmask="True"attribute will always reveal the content in the HTML element (i.e. relaxed anonymization), even with the anonymization setting of the block set to "Strict".
Toggle Clips to collect video and screen recordings of usability tasks in Maze. When enabled, this setting applies to all missions. Learn more about Clips
However, please note that it's not possible to hire testers for a website test with Clips enabled. Learn more about hiring testers for your website test from the Maze panel
Add more blocks (if needed) and publish your maze
You can add multiple live website tests per maze. To add more tasks, simply create a new Live Website Testing block and repeat the steps above.
Hiring testers from the maze panel
To safeguard testers' personal data, there are some restrictions when hiring panel testers for a website test:
- If you’ve enabled Clips, these will be disabled for panel testers.
- Anonymization settings will be automatically changed to Strict. Please note that this can't be reversed.
You can still get Clips recordings for your live website tests through alternative share options.
My website is password-protected / behind a login wall. Can I still run a website test?
Yes — you can run usability tests on websites where logging in or entering a password is required.
As long as the tracking code is correctly installed, you just need to ensure that your testers have the required credentials to access your website.
Results & Reports
As testers complete your live maze, you will start seeing insights on the Results dashboard.
Maze reports make it easy to analyze, share, and present your results data. Reports are automatically generated for every live maze tested with at least one tester.
Current limitations when viewing live website test results
- Due to technical limitations, heatmap screens won’t always capture the live website page in perfect detail.
- Overlays and modals are not captured in heatmaps; only the base page/screen.
Security and performance FAQs
Will the Maze script slow down my website?
The Maze script is designed to have a very minimal impact on the performance of your website. It shouldn't take more than a few milliseconds to load, and this shouldn't be noticeable at all to your website users.
The Maze script loads asynchronously. Your website will continue to load while the Maze script is being executed.
This means that, even if the script fails to load (which is unlikely), your website will still continue to render as expected without the script.
The Maze tracking code you install on your website is used to dynamically run a loader that powers the testing on your website. The tracking code is less than 1KB.
The dynamic loader is less than 10KB and only runs in specific circumstances:
- the loader only runs if the API has a valid response;
- the API keys are only valid for each domain you configure;
- the code for either live website testing or the in-product prompt is only triggered if the destination site is opened on a new tab. If this first check is passed, we send a post message to the tab that opened the site, and attach an event listener to wait for the response. The rest of the live website testing code is only triggered if we get the proper response in the first minute. Otherwise, it will have no further impact.
If either of the conditions above is not met, the script is not loaded at all.
Content Delivery Network (CDN)
The dynamic loader is served by a Content Delivery Network (CDN).
A CDN is a distributed network of servers that delivers content based on a user's geographic location. It does this by storing copies of the content on servers located in different places around the world. When someone visits a website using a CDN, the content is delivered to their device from the server closest to them, reducing the distance it needs to travel and making it load faster.
Using a CDN allows us to serve the loader faster, more reliably, securely, and with reduced data usage.
The script uses session-based caching. The script is loaded only once, even when the user navigates through multiple pages.
Content Security Policy (CSP) directives
A Content Security Policy (CSP) is a security feature that helps protect websites from security threats and vulnerabilities. It does this by specifying the type of content (e.g. scripts, images, videos) that can be loaded on a website, and from which sources they can be loaded. This helps mitigate certain types of malicious attacks, such as cross-site scripting (XSS), clickjacking, and data injection attacks.
If you have a CSP implemented, you'll need to add a directive that allows files to be loaded from Maze in order to allow the Maze script to work on your website.
Default: If using a default CSP, we recommend adding the Maze domain as a trusted source in the default-src rules:
Stricter: If your organization requires stricter restrictions, we recommend the settings below:
script-src https://*.maze.co/ font-src https://*.maze.co/ style-src https://*.maze.co/ connect-src https://*.maze.co/ img-src https://*.maze.co/
Strictest: If your CSP requires additional granularity, the following are the minimum rules required for the Maze script to work. Please note that this list is subject to change as this feature evolves. In that case, you'll need to update your CSP directives so that the snippet can continue to work.
script-src https://snippet.maze.co/ font-src https://snippet.maze.co/ style-src https://snippet.maze.co/ img-src https://snippet.maze.co/ connect-src https://api.maze.co/ https://prompts.maze.co/
What measures are in place to ensure the security of the script?
Any changes to the script are subject to Maze’s change control policy.
Access to code changes is restricted to authorized employees only. All changes must go through code review and testing before deployment.
The script is hosted as part of our general platform infrastructure, with access restricted to authorized employees.
Is the script open-source?
The Maze tracking script is closed-source. By keeping the source code closed, Maze controls how the script is developed and distributed.
What data does Maze collect from my testers?
Is there any tracking in place for general website visitors?
If your website visitors are not being targeted by an in-product prompt or live website test, no information or data will be collected from those users.
What measures are in place to ensure the privacy of my testers when testing live websites?
Website testing happens on your actual live website. Interactions happen in the “real world”; Maze doesn’t create a dummy/test/staging environment for you.
You should therefore be mindful that you may be collecting personally-identifying information (PII) from your testers. For instance, if you ask users to log in to their account as part of your test, the screenshots on your Results dashboard may include anything they’ve entered when logging in, as well as any data on their personal area.
To ensure the privacy of your testers, Maze offers built-in screenshot anonymization options. Please be mindful that, if you enable Clips, the recording will show all information on the screen — Clips recordings are not anonymized.
Additionally, you can set up your own staging environment, and/or give users test credentials to avoid having them reveal their personal data.
Still need help?
If you have any questions or concerns, please let our Support team know — we'll be happy to help!