Prompt Injection Detection
prompt-injection is the request-side policy for jailbreak and instruction-override detection. It supports regex attack patterns, encoding normalization, boundary checks, optional external embedding backends, and optional data-poisoning signals.
Full example
pack:
name: injection-protection
version: 1.0.0
enabled: true
policies:
chain:
- prompt-injection
policy:
prompt-injection:
backend: local
attack_patterns:
- ignore.*previous.*instructions
- forget.*system.*prompt
- reveal.*system.*prompt
encoding:
decode_base64: true
normalize_unicode: true
detect_homoglyphs: true
boundaries:
enforce_delimiters: true
reject_fake_boundaries: true
response:
action: block
message: "Request blocked: potential prompt injection detected"
log_level: warn
Field reference
| Field | Type | Notes |
|---|---|---|
backend | string | local or external. |
endpoint | string | Required when backend: external. |
model | string | Embedding model identifier for the external backend. |
api_key | string | Optional bearer token for the external backend. The value is literal; ${ENV_VAR} interpolation is not performed for this field. |
timeout_ms | integer | Timeout for external embedding calls. |
embedding_threshold | number | Similarity threshold for embedding-based detection. |
attack_patterns | string[] | Regex patterns appended to the built-in detector list. |
encoding.decode_base64 | boolean | Decode Base64-like input before matching. |
encoding.normalize_unicode | boolean | Normalize Unicode escapes and related encodings. |
encoding.detect_homoglyphs | boolean | Fold homoglyphs before matching. |
boundaries.enforce_delimiters | boolean | Detect delimiter confusion across role boundaries. |
boundaries.reject_fake_boundaries | boolean | Detect fake system-boundary markers. |
response.action | string | The only schema value is block; the detector already blocks every standard injection hit. |
response.message | string | Validated metadata; the gateway does not currently substitute this into its returned error body. |
response.log_level | string | Validated metadata; it does not currently change runtime logging. |
data_poisoning.enabled | boolean | Turn on anomaly-style data-poisoning checks. |
data_poisoning.backdoor_trigger_patterns | string[] | Custom trigger strings to scan for. |
data_poisoning.perplexity_threshold | number | Threshold for anomalous text detection. |
data_poisoning.anomaly_action | string | block, warn, or audit. |
The external embedding backend is available only in CLI builds that include the
embedding-external feature. Other builds use the local embedding detector
even when backend: external is configured.
The current api_key field does not support environment or secret-store
references. Do not put a provider key in a version-controlled config. If your
security policy requires referenced secrets at rest, use backend: local;
the external backend cannot currently satisfy that requirement.
When data-poisoning detection finds a trigger or anomaly, only anomaly_action: block changes the verdict. warn and audit keep the request allowed and record the signal in policy details.
Common patterns
Local-only detector
policy:
prompt-injection:
attack_patterns:
- ignore.*previous.*instructions
- forget.*system.*prompt
encoding:
decode_base64: true
normalize_unicode: true
detect_homoglyphs: true
boundaries:
enforce_delimiters: true
reject_fake_boundaries: true
response:
action: block
External embedding backend
Use this shape only for an endpoint that does not require a bearer credential, or in a protected runtime-only config that your organization has explicitly approved for literal secret handling:
policy:
prompt-injection:
backend: external
endpoint: https://embedding-service.example.com/v1/embeddings
model: approved-embedding-model
embedding_threshold: 0.8
Add data-poisoning checks
policy:
prompt-injection:
attack_patterns:
- ignore.*previous.*instructions
data_poisoning:
enabled: true
backdoor_trigger_patterns:
- cfzq
- sleeper trigger
perplexity_threshold: 50
anomaly_action: block
Best practices
- Put
prompt-injectionearly in the chain so hostile input is blocked before downstream policies run. - Keep your custom
attack_patternsnarrow and readable; overly broad regexes create noisy blocks. - Use
backend: externalonly when you need semantic similarity checks beyond the built-in detector and can satisfy the literal-credential limitation. - Treat
data_poisoningas an extra signal layer, not a replacement for the standard attack patterns and boundary checks.