Policy

Choose a protection level, set the low-trust and block lines, and turn individual trust signals on or off — all on one page.

Overview

The Policy page controls how Security behaves: whether it runs at all, where it draws the low-trust and block lines, and which signals it watches. It replaces the old separate Rules and Settings pages — everything now lives here. (The old /rules and /settings links redirect here automatically.)

Security monitoring

A master switch at the top turns the whole engine on or off:

  • On — every visitor is scored in real time and can be flagged or auto-blocked
  • Off — no signals are evaluated and no visitor is scored or blocked. The rest of the page dims to show monitoring is paused.
Turning monitoring off doesn't clear existing statuses or blocks — visitors simply stop being scored. Turn it back on and scoring resumes from where it left off.

Protection level

Three one-click presets set both lines at once. Pick the one that matches your risk tolerance, or drag the lines yourself to go Custom.

PresetBlock lineLow-trust lineBest for
Relaxed2030Only flags as low trust when several signals stack; still bans outright attacks
Balanced (recommended)2640One weak signal never flags; bans bots and attacks
Strict3046Any single signal is flagged as low trust; also bans stacks of signals

Balanced is the default. Its numbers are tuned so that a normal anonymous visitor (who starts at 50) is never flagged by one stray signal, while bots and attack tools are blocked for sure.

The low-trust and block lines

Below the presets, a single 0–100 bar shows your two draggable handles:

  • Block line (red) — visitors scoring below it are automatically blocked from chat
  • Low-trust line (yellow) — visitors between the two lines are flagged as low trust; at or above it they're trusted

The block line always stays below the low-trust line. A live legend and an impact preview show how many of your current visitors fall into each zone at the lines you've chosen, so you can see the effect before saving.

Signals

Below the lines is the catalog of built-in signals. Each one has a single on/off toggle — that's the only control. Its impact is fixed and shown as a read-only severity badge, and a Permanent or Expires tag tells you whether its effect fades over time. You can't change a signal's weight by hand, and you can't write your own detection rules — the catalog is the same well-tuned set for everyone.

Risk signals (lower the score)

SignalGroupWhat it detectsDefault
Attack-tool user-agentBot detectionThe browser identifies as a known attack/scanner tool (sqlmap, nikto, nmap…). Severe — a single hit blocks.On
High event velocityBot detectionAbnormally high activity rate, typical of automated botsOn
Suspicious URL accessedNetworkVisited an attack/recon path (e.g. .env, /wp-admin, /.git/). Severe — a single hit blocks.On
Shared IP addressNetworkThe IP is shared with several other visitors — a weak datacentre/proxy hintOn
Multiple countriesBehavioralConnected from 3 or more countriesOn
Numerous IP addressesBehavioralUsed 15 or more distinct IPsOn
Multiple devicesBehavioralUsed 5 or more device/browser combinationsOn
Disposable email addressBehavioralEmail uses a known throwaway domain (privacy relays like iCloud Hide My Email are not flagged)On
No-reply / automated emailBehavioralEmail is a no-reply / bounce / mailer-daemon style addressOn

Trust signals (raise the score)

SignalWhat it creditsDefault
Email address setThe visitor has an email on file — the primary "real person" signalOn
Long-standing visitor (90 days)Account older than 90 daysOn
Established visitor (30 days)Account between 30 and 90 days oldOn
External account ID setLinked to your backend via the SDK identify() callOff
Customer value setA customer value / LTV is set via the SDKOff
Plan setA plan / subscription value is setOff
Display name setThe visitor has a display nameOff
The four trust signals that are off by default all rely on profile fields your own integration sets. They're off because an integration that stamps the same value on every visitor would hand out trust indiscriminately — turn one on only if your integration fills that field meaningfully (for example, an external account ID only for signed-in users).

Saving changes

Any edit raises a sticky save bar showing how many changes are pending. Click Save to apply or Reset to discard. Saving is blocked if the block line isn't below the low-trust line. Changes apply going forward — existing scores aren't recalculated retroactively.

Tuning tips

  • Global audience? The signals no longer penalise night-time activity or run VPN/Tor reputation checks, so travellers and remote teams won't pile into the low-trust band. If they still do, move to the Relaxed preset.
  • Lots of identified users? Leave the trust signals on so your real customers float to the top of the score range.
  • Seeing too many or too few flags? Adjust the preset or drag the low-trust line rather than touching individual signals — the lines are the simplest lever.