Yaplet gives every visitor a trust score from 0 to 100 and uses it to decide who chats freely, who is flagged as low trust, and who is blocked. You don't write the scoring logic yourself — instead, the Policy page lets you choose how strict it is and which signals it watches.
Open the Policy page
Go to Security → Policy. (Security is available on the Growth plan and any plan that includes it. If you don't see the Security section, your plan doesn't include it.)
Turn monitoring on or off
The master switch at the top, Security monitoring, controls the whole engine. When it's off, no visitor is scored or blocked, and the rest of the page dims. Turning it off doesn't clear existing statuses — scoring just pauses until you switch it back on.
Pick a protection level
Three one-click presets set both decision lines at once. Choose the one that fits your risk tolerance:
| Level | Block line | Low-trust line | Best for |
|---|---|---|---|
| Relaxed | 20 | 30 | Only flags as low trust when several signals stack; still blocks outright attacks |
| Balanced (recommended) | 26 | 40 | One weak signal never flags; blocks bots and attacks |
| Strict | 30 | 46 | Any single signal is flagged as low trust; also blocks stacks of signals |
Balanced is the default and works well for most sites. If you drag the lines to your own values, the level simply shows as Custom.
Set the low-trust and block lines
A single bar from 0 to 100 has two draggable handles:
- Block line (red) — visitors scoring below it are automatically blocked from chat.
- Low-trust line (yellow) — visitors between the two lines are flagged as low trust; at or above it they're trusted.
The block line always stays below the low-trust line. As you drag, a live preview shows how many of your current visitors would fall into each zone, so you can see the effect before saving.
Switch signals on or off
Below the lines is the catalog of built-in signals. Each one has a single on/off toggle — that's the only control. You can't hand-edit a signal's strength, and you can't write your own detection rules; the catalog is the same well-tuned set for everyone. Each signal shows a read-only severity badge and a note of whether its effect is permanent or fades after 30 days.
Risk signals (lower the score)
- Bot detection — attack-tool browsers (sqlmap, nikto…) and abnormally high activity rates
- Behavioral — many countries, many IPs, many devices, disposable email addresses, and no-reply mailboxes
- Network — suspicious URLs (like
/wp-adminor.env) and IPs shared by many visitors
Trust signals (raise the score)
These reward genuine visitors. Email address set and account age (30 and 90 days) are on by default. Four more — External account ID set, Customer value set, Plan set, and Display name set — are off by default because they rely on profile fields your integration sets; turn one on only if your integration fills that field meaningfully.
Save your changes
Any edit raises a save bar showing how many changes are pending. Click Save to apply or Reset to discard. You can't save while the block line is above the low-trust line. Changes apply going forward — existing scores aren't recalculated.
Once your policy is set, check flagged visitors on the Visitors list.