Skip to main content

Prompt Injection Detection

prompt-injection is the request-side policy for jailbreak and instruction-override detection. It supports regex attack patterns, encoding normalization, boundary checks, optional external embedding backends, and optional data-poisoning signals.

Full example

pack:
name: injection-protection
version: 1.0.0
enabled: true
policies:
chain:
- prompt-injection
policy:
prompt-injection:
backend: local
attack_patterns:
- ignore.*previous.*instructions
- forget.*system.*prompt
- reveal.*system.*prompt
encoding:
decode_base64: true
normalize_unicode: true
detect_homoglyphs: true
boundaries:
enforce_delimiters: true
reject_fake_boundaries: true
response:
action: block
message: "Request blocked: potential prompt injection detected"
log_level: warn

Field reference

FieldTypeNotes
backendstringlocal or external.
endpointstringRequired when backend: external.
modelstringEmbedding model identifier for the external backend.
api_keystringOptional bearer token for the external backend. The value is literal; ${ENV_VAR} interpolation is not performed for this field.
timeout_msintegerTimeout for external embedding calls.
embedding_thresholdnumberSimilarity threshold for embedding-based detection.
attack_patternsstring[]Regex patterns appended to the built-in detector list.
encoding.decode_base64booleanDecode Base64-like input before matching.
encoding.normalize_unicodebooleanNormalize Unicode escapes and related encodings.
encoding.detect_homoglyphsbooleanFold homoglyphs before matching.
boundaries.enforce_delimitersbooleanDetect delimiter confusion across role boundaries.
boundaries.reject_fake_boundariesbooleanDetect fake system-boundary markers.
response.actionstringThe only schema value is block; the detector already blocks every standard injection hit.
response.messagestringValidated metadata; the gateway does not currently substitute this into its returned error body.
response.log_levelstringValidated metadata; it does not currently change runtime logging.
data_poisoning.enabledbooleanTurn on anomaly-style data-poisoning checks.
data_poisoning.backdoor_trigger_patternsstring[]Custom trigger strings to scan for.
data_poisoning.perplexity_thresholdnumberThreshold for anomalous text detection.
data_poisoning.anomaly_actionstringblock, warn, or audit.

The external embedding backend is available only in CLI builds that include the embedding-external feature. Other builds use the local embedding detector even when backend: external is configured.

External backend credentials are literal

The current api_key field does not support environment or secret-store references. Do not put a provider key in a version-controlled config. If your security policy requires referenced secrets at rest, use backend: local; the external backend cannot currently satisfy that requirement.

When data-poisoning detection finds a trigger or anomaly, only anomaly_action: block changes the verdict. warn and audit keep the request allowed and record the signal in policy details.

Common patterns

Local-only detector

policy:
prompt-injection:
attack_patterns:
- ignore.*previous.*instructions
- forget.*system.*prompt
encoding:
decode_base64: true
normalize_unicode: true
detect_homoglyphs: true
boundaries:
enforce_delimiters: true
reject_fake_boundaries: true
response:
action: block

External embedding backend

Use this shape only for an endpoint that does not require a bearer credential, or in a protected runtime-only config that your organization has explicitly approved for literal secret handling:

policy:
prompt-injection:
backend: external
endpoint: https://embedding-service.example.com/v1/embeddings
model: approved-embedding-model
embedding_threshold: 0.8

Add data-poisoning checks

policy:
prompt-injection:
attack_patterns:
- ignore.*previous.*instructions
data_poisoning:
enabled: true
backdoor_trigger_patterns:
- cfzq
- sleeper trigger
perplexity_threshold: 50
anomaly_action: block

Best practices

  • Put prompt-injection early in the chain so hostile input is blocked before downstream policies run.
  • Keep your custom attack_patterns narrow and readable; overly broad regexes create noisy blocks.
  • Use backend: external only when you need semantic similarity checks beyond the built-in detector and can satisfy the literal-credential limitation.
  • Treat data_poisoning as an extra signal layer, not a replacement for the standard attack patterns and boundary checks.

Next steps