Documentation

Security model

Prompt Defenders is a preflight scanner: it runs before user text reaches privileged LLM contexts so risky content can be blocked, quarantined, or routed for review.

Run it inline, act on thresholds

  • Inline guardrail — call scanInput() (Node) or the CLI inside your API, chatbot gateway, or orchestrator before any LLM call.
  • Severity thresholds — treat score ≥ 50 (high) as a hard block and score ≥ 80 (critical) as block plus alert; log advisories for your SOC.
  • Hash-only logging — store meta.inputHash plus advisories for auditing; never persist raw prompts.
  • Feedback loop — return a safe remediation hint when you block, so users understand the denial.

What the service keeps (and doesn't)

Submitted text exists only during request processing. The service computes an HMAC-SHA256 hash for correlation, records input length and timestamp, and discards the raw input. Telemetry (Datadog RUM) runs with mask-user-input.

Raw input never storedHMAC-SHA256 hash only100KB input cap10 req/min rate limitProd API-key authMasked telemetry inputs

Full policies: PRIVACY.md · SECURITY.md

What it deliberately does not claim

  • The rule pack is regex-based — it cannot catch every obfuscated payload, image-based attack, or multi-turn exploit. Pair it with output filtering.
  • Scanning is synchronous over UTF-8 text; normalize binary attachments, audio transcripts, or streaming partials upstream.
  • It is not downstream policy enforcement — you still need sandboxing, least-privilege tool access, and output filters at the model boundary.
  • Deep analysis is intentionally out-of-band (async queue) to protect latency-sensitive conversations, and currently uses a placeholder LLM stub.

Complementary controls

  • Network: rate limiting, IP reputation, WAF rules ahead of the scanner.
  • Application: authentication, role-based access, strict separation of system prompts from user content.
  • Observability: pipe advisories into your SIEM so attack clusters surface.
  • Human-in-the-loop: route blocked prompts on critical workflows (payments, admin actions) to an analyst instead of discarding them.

Found a vulnerability in Prompt Defenders itself? Report privately via GitHub Security Advisories— please don't open a public issue.