Risk Scoring for Laravel
Cbox Risk
Cbox Risk
Score an incoming request — a registration, a login, a form submit — against many independent signals, combine them into one explainable number, and map that number to a graduated outcome: allow → flag → challenge → step-up → reject. Every decision carries the reasons that produced it.
The mental model
RiskContext ── [ Signal, Signal, Signal … ] ──► score ──► Outcome
(request) each returns points+reason Σ×weight via thresholds
- A
RiskContextcaptures the request (IP, user-agent, email, headers, plus anything you add: honeypot, submit timing, fingerprint). - Each
Signalindependently returns points and a human reason, or nothing. - The scorer sums
points × weight, and the total picks the most severeOutcomeband it reaches. Allowlisted IPs/domains bypass scoring. - Every assessment exposes its breakdown — no black boxes.
Why not just block?
Because a wrong block locks out a real user, and because an automated decision that materially affects someone carries obligations (GDPR Art. 22 — see Security). Cbox Risk prefers friction over refusal (CAPTCHA, step-up) and is explainable by construction, so you can tune it, justify it, and recover false positives.
Read next
- Installation
- Quickstart — protect a route in one line
- Signals & weights — every signal, its points, and how to tune it
- Cookbook — registration, login, tuning, custom actions
- Architecture — context, signals, scorer, outcomes
- Extending — your own signals, providers, and caches
- Testing — fakes and deterministic scoring
- Data sources — external feeds, licenses, and refresh cadence
- Security & privacy — honest scope, GDPR Art. 22, data minimization