Policy
Choose a protection level, set the low-trust and block lines, and turn individual trust signals on or off — all on one page.
Overview
The Policy page controls how Security behaves: whether it runs at all, where it draws the low-trust and block lines, and which signals it watches. It replaces the old separate Rules and Settings pages — everything now lives here. (The old /rules and /settings links redirect here automatically.)
Security monitoring
A master switch at the top turns the whole engine on or off:
- On — every visitor is scored in real time and can be flagged or auto-blocked
- Off — no signals are evaluated and no visitor is scored or blocked. The rest of the page dims to show monitoring is paused.
Protection level
Three one-click presets set both lines at once. Pick the one that matches your risk tolerance, or drag the lines yourself to go Custom.
| Preset | Block line | Low-trust line | Best for |
|---|---|---|---|
| Relaxed | 20 | 30 | Only flags as low trust when several signals stack; still bans outright attacks |
| Balanced (recommended) | 26 | 40 | One weak signal never flags; bans bots and attacks |
| Strict | 30 | 46 | Any single signal is flagged as low trust; also bans stacks of signals |
Balanced is the default. Its numbers are tuned so that a normal anonymous visitor (who starts at 50) is never flagged by one stray signal, while bots and attack tools are blocked for sure.
The low-trust and block lines
Below the presets, a single 0–100 bar shows your two draggable handles:
- Block line (red) — visitors scoring below it are automatically blocked from chat
- Low-trust line (yellow) — visitors between the two lines are flagged as low trust; at or above it they're trusted
The block line always stays below the low-trust line. A live legend and an impact preview show how many of your current visitors fall into each zone at the lines you've chosen, so you can see the effect before saving.
Signals
Below the lines is the catalog of built-in signals. Each one has a single on/off toggle — that's the only control. Its impact is fixed and shown as a read-only severity badge, and a Permanent or Expires tag tells you whether its effect fades over time. You can't change a signal's weight by hand, and you can't write your own detection rules — the catalog is the same well-tuned set for everyone.
Risk signals (lower the score)
| Signal | Group | What it detects | Default |
|---|---|---|---|
| Attack-tool user-agent | Bot detection | The browser identifies as a known attack/scanner tool (sqlmap, nikto, nmap…). Severe — a single hit blocks. | On |
| High event velocity | Bot detection | Abnormally high activity rate, typical of automated bots | On |
| Suspicious URL accessed | Network | Visited an attack/recon path (e.g. .env, /wp-admin, /.git/). Severe — a single hit blocks. | On |
| Shared IP address | Network | The IP is shared with several other visitors — a weak datacentre/proxy hint | On |
| Multiple countries | Behavioral | Connected from 3 or more countries | On |
| Numerous IP addresses | Behavioral | Used 15 or more distinct IPs | On |
| Multiple devices | Behavioral | Used 5 or more device/browser combinations | On |
| Disposable email address | Behavioral | Email uses a known throwaway domain (privacy relays like iCloud Hide My Email are not flagged) | On |
| No-reply / automated email | Behavioral | Email is a no-reply / bounce / mailer-daemon style address | On |
Trust signals (raise the score)
| Signal | What it credits | Default |
|---|---|---|
| Email address set | The visitor has an email on file — the primary "real person" signal | On |
| Long-standing visitor (90 days) | Account older than 90 days | On |
| Established visitor (30 days) | Account between 30 and 90 days old | On |
| External account ID set | Linked to your backend via the SDK identify() call | Off |
| Customer value set | A customer value / LTV is set via the SDK | Off |
| Plan set | A plan / subscription value is set | Off |
| Display name set | The visitor has a display name | Off |
Saving changes
Any edit raises a sticky save bar showing how many changes are pending. Click Save to apply or Reset to discard. Saving is blocked if the block line isn't below the low-trust line. Changes apply going forward — existing scores aren't recalculated retroactively.
Tuning tips
- Global audience? The signals no longer penalise night-time activity or run VPN/Tor reputation checks, so travellers and remote teams won't pile into the low-trust band. If they still do, move to the Relaxed preset.
- Lots of identified users? Leave the trust signals on so your real customers float to the top of the score range.
- Seeing too many or too few flags? Adjust the preset or drag the low-trust line rather than touching individual signals — the lines are the simplest lever.