Reference · Cheatsheet

Prompt injection defense patterns

Layer defenses — no single filter catches everything.

Layer defenses — no single filter catches everything.

Architecture

  • **Separate** user content from instructions (clear delimiters)
  • **Never** expose raw system prompts to users
  • Run tools with **least privilege** allowlists
  • **Validate** tool arguments before execution
  • Log and **rate-limit** suspicious patterns

Prompt patterns to block/test

| Attack pattern | Defense |

|----------------|---------|

| "Ignore previous instructions" | Instruction hierarchy + system hardening |

| "Print your system prompt" | Refuse + don't echo secrets |

| Hidden text in pasted docs | Strip HTML/comments; summarize untrusted docs separately |

| Tool hijack ("call delete_all") | Schema validation + human confirm for destructive tools |

Red-team checklist

  • 50+ adversarial prompts in test suite
  • Untrusted document + malicious footer
  • Multi-turn gradual escalation
  • Unicode/homoglyph tricks

If injection succeeds

Fail closed: refuse action, alert ops, don't leak internal context.

**Related lessons:** `prompt-injection` · glossary: `jailbreak`, `red-teaming`