Reference · Cheatsheet
Prompt injection defense patterns
Layer defenses — no single filter catches everything.
Layer defenses — no single filter catches everything.
Architecture
- **Separate** user content from instructions (clear delimiters)
- **Never** expose raw system prompts to users
- Run tools with **least privilege** allowlists
- **Validate** tool arguments before execution
- Log and **rate-limit** suspicious patterns
Prompt patterns to block/test
| Attack pattern | Defense |
|----------------|---------|
| "Ignore previous instructions" | Instruction hierarchy + system hardening |
| "Print your system prompt" | Refuse + don't echo secrets |
| Hidden text in pasted docs | Strip HTML/comments; summarize untrusted docs separately |
| Tool hijack ("call delete_all") | Schema validation + human confirm for destructive tools |
Red-team checklist
- 50+ adversarial prompts in test suite
- Untrusted document + malicious footer
- Multi-turn gradual escalation
- Unicode/homoglyph tricks
If injection succeeds
Fail closed: refuse action, alert ops, don't leak internal context.