Tune your security policy

Updated May 22, 2026

Yaplet gives every visitor a trust score from 0 to 100 and uses it to decide who chats freely, who is flagged as low trust, and who is blocked. You don't write the scoring logic yourself — instead, the Policy page lets you choose how strict it is and which signals it watches.

Open the Policy page

Go to Security → Policy. (Security is available on the Growth plan and any plan that includes it. If you don't see the Security section, your plan doesn't include it.)

Turn monitoring on or off

The master switch at the top, Security monitoring, controls the whole engine. When it's off, no visitor is scored or blocked, and the rest of the page dims. Turning it off doesn't clear existing statuses — scoring just pauses until you switch it back on.

Pick a protection level

Three one-click presets set both decision lines at once. Choose the one that fits your risk tolerance:

Level Block line Low-trust line Best for
Relaxed 20 30 Only flags as low trust when several signals stack; still blocks outright attacks
Balanced (recommended) 26 40 One weak signal never flags; blocks bots and attacks
Strict 30 46 Any single signal is flagged as low trust; also blocks stacks of signals

Balanced is the default and works well for most sites. If you drag the lines to your own values, the level simply shows as Custom.

Set the low-trust and block lines

A single bar from 0 to 100 has two draggable handles:

  • Block line (red) — visitors scoring below it are automatically blocked from chat.
  • Low-trust line (yellow) — visitors between the two lines are flagged as low trust; at or above it they're trusted.

The block line always stays below the low-trust line. As you drag, a live preview shows how many of your current visitors would fall into each zone, so you can see the effect before saving.

Switch signals on or off

Below the lines is the catalog of built-in signals. Each one has a single on/off toggle — that's the only control. You can't hand-edit a signal's strength, and you can't write your own detection rules; the catalog is the same well-tuned set for everyone. Each signal shows a read-only severity badge and a note of whether its effect is permanent or fades after 30 days.

Risk signals (lower the score)

  • Bot detection — attack-tool browsers (sqlmap, nikto…) and abnormally high activity rates
  • Behavioral — many countries, many IPs, many devices, disposable email addresses, and no-reply mailboxes
  • Network — suspicious URLs (like /wp-admin or .env) and IPs shared by many visitors

Trust signals (raise the score)

These reward genuine visitors. Email address set and account age (30 and 90 days) are on by default. Four more — External account ID set, Customer value set, Plan set, and Display name set — are off by default because they rely on profile fields your integration sets; turn one on only if your integration fills that field meaningfully.

Save your changes

Any edit raises a save bar showing how many changes are pending. Click Save to apply or Reset to discard. You can't save while the block line is above the low-trust line. Changes apply going forward — existing scores aren't recalculated.

Once your policy is set, check flagged visitors on the Visitors list.

Did this article answer your question?