Documentation
Security model
Prompt Defenders is a preflight scanner: it runs before user text reaches privileged LLM contexts so risky content can be blocked, quarantined, or routed for review.
Deployment model
Run it inline, act on thresholds
- Inline guardrail — call
scanInput()(Node) or the CLI inside your API, chatbot gateway, or orchestrator before any LLM call. - Severity thresholds — treat score ≥ 50 (high) as a hard block and score ≥ 80 (critical) as block plus alert; log advisories for your SOC.
- Hash-only logging — store
meta.inputHashplus advisories for auditing; never persist raw prompts. - Feedback loop — return a safe remediation hint when you block, so users understand the denial.
Privacy posture
What the service keeps (and doesn't)
Submitted text exists only during request processing. The service computes an HMAC-SHA256 hash for correlation, records input length and timestamp, and discards the raw input. Telemetry (Datadog RUM) runs with mask-user-input.
Raw input never storedHMAC-SHA256 hash only100KB input cap10 req/min rate limitProd API-key authMasked telemetry inputs
Full policies: PRIVACY.md · SECURITY.md
Limitations
What it deliberately does not claim
- The rule pack is regex-based — it cannot catch every obfuscated payload, image-based attack, or multi-turn exploit. Pair it with output filtering.
- Scanning is synchronous over UTF-8 text; normalize binary attachments, audio transcripts, or streaming partials upstream.
- It is not downstream policy enforcement — you still need sandboxing, least-privilege tool access, and output filters at the model boundary.
- Deep analysis is intentionally out-of-band (async queue) to protect latency-sensitive conversations, and currently uses a placeholder LLM stub.
Layered defense
Complementary controls
- Network: rate limiting, IP reputation, WAF rules ahead of the scanner.
- Application: authentication, role-based access, strict separation of system prompts from user content.
- Observability: pipe advisories into your SIEM so attack clusters surface.
- Human-in-the-loop: route blocked prompts on critical workflows (payments, admin actions) to an analyst instead of discarding them.
Found a vulnerability in Prompt Defenders itself? Report privately via GitHub Security Advisories— please don't open a public issue.