Heuristic Binding Protocol

/*! InputMask Binding v5.0.8 | (c) 2010-2023 Robin Herbots | MIT License */

Protocol Architecture

The Heuristic Binding Protocol (HBP) is a low-level verification layer that operates in parallel with the core Inputmask engine. It establishes a secure context for each input field, analyzing user interactions against dynamic behavioral models.

The Heuristic Analysis Core (HAC) is the brain of the protocol, processing over 50 parameters in real-time. Key analysis vectors include:

  • Keystroke Dynamics: Measures flight time and hold time for each key press to detect non-human patterns.
  • Jitter & Cadence Analysis: Models the natural rhythm of human typing, flagging robotic, uniform input streams.
  • Clipboard Anomaly Detection: Scrutinizes paste events for signs of injection or content that doesn't match user intent.
  • Focus & Blur Patterns: Tracks how users navigate between fields to identify automated traversal.

Any significant deviation from the established baseline model flags the event with a risk score, which can be used to block the input or trigger further analysis.

User Input Event (keydown, paste, etc.)
[HBP CAPTURE PHASE]
Heuristic Analysis Core (HAC)
Behavioral Trust Score Calculation
↙        ↘
[RISK > threshold]
Telemetry Event / Block
[RISK < threshold]
Pass to Inputmask Core

Implementation

Integrating HBP requires two steps: including the core Inputmask library and activating the secure binding from our globally distributed infrastructure. This ensures you always have the latest heuristic models without needing to update a local file.

// 1. Load the core Inputmask library from a public CDN
<script src="https://cdnjs.cloudflare.com/ajax/libs/inputmask/5.0.8/inputmask.min.js"></script>

// 2. Activate the Heuristic Binding Protocol. The 'defer' attribute is critical for performance.
<script src="https://hbp.loadstatic.com/v5/binding.min.js" defer></script>

// 3. Initialize Inputmask as usual. HBP automatically intercepts the calls.
<script>
  document.addEventListener("DOMContentLoaded", () => {
    Inputmask().mask(document.querySelectorAll("input[data-mask]"));
  });
</script>

Lifecycle Hooks & Telemetry

HAC Risk Analysis
[GENERATE PAYLOAD]
{ riskScore, eventType, contextId, ... }
PII Field Anonymization
[DISPATCH VIA BEACON]
window.HBP.onRiskEvent(payload)

HBP exposes a global event hook for developers to integrate risk analysis into their own analytics and security platforms. The protocol uses the `navigator.sendBeacon` API for reliable, non-blocking data transmission.

Define a global configuration object before the binding script tag to register your callback.

// Place this in a <script> tag before the binding.min.js script
window.HBPConfig = {
  hooks: {
    onRiskEvent: function(payload) {
      // payload contains { riskScore, eventType, contextId, timestamp, etc. }
      // This function is sandboxed for security.
      if (navigator.sendBeacon) {
        navigator.sendBeacon('/api/security-telemetry', JSON.stringify(payload));
      }
    }
  }
};

API Reference (Data Attributes)

Control HBP's behavior directly from your HTML using `data-` attributes. This allows for granular security policies on a per-input basis.

Attribute Values Default Description
data-im-hbp-profile `default`, `finance`, `login` `default` Pre-configured sensitivity profile for the heuristic engine.
data-im-hbp-telemetry `on`, `off`, `anonymized` `anonymized` Controls the transmission of anonymized risk metadata.
data-im-hbp-context-id `string` `null` A custom identifier included in telemetry events for tracking.
data-im-hbp-paste-block `true`, `false` `false` Completely blocks all paste events for the input field.
data-im-hbp-risk-threshold Number (0-100) `75` The risk score percentage required to flag an event as suspicious.