Prompt-injection defense
Prompt injection is an attempt to make a model ignore the instructions your application gave it. It can come from a user message, pasted text, retrieved documents, tool output, web pages, tickets, emails, or any other content an agent includes in context.
Gate checks for those attempts before the request reaches the model. This page explains what users can expect from the feature: what it is for, what traffic it covers, how policy actions work, and what shows up when Gate intervenes.
For the broader security model, including PII, PHI, credentials, policy settings, and audit behavior, see Security. For plan availability, see Plans.
What it protects against
Prompt-injection defense looks for instructions that try to override, replace, or exfiltrate the behavior your application intended. Common examples include:
- Telling the model to ignore higher-priority instructions.
- Asking for hidden system or developer instructions.
- Changing the model’s role, identity, output format, or task.
- Smuggling instructions inside pasted content, retrieved text, or tool output.
- Hiding a command through encoding, unusual formatting, or invisible characters.
- Steering an agent toward an unsafe tool call or an unintended external action.
Gate reports these as a single prompt injection category. Request details may include a broad label such as instruction override, role manipulation, obfuscation, or indirect injection so you can understand the type of event without exposing implementation details.
Where it runs
Gate evaluates fresh user-authored input before forwarding the request upstream. On paid plans, Gate can also scan untrusted tool-result content as a separate prompt-injection check, because indirect attacks often arrive through data an agent retrieved rather than text the user typed directly.
Some platform-issued traffic, such as health checks and heartbeat probes, is treated as system traffic and skipped. Contentless continuations and tiny framework boilerplate may also pass without a prompt-injection call. Those skips are meant to avoid false positives on traffic that is not a user instruction.
Free and Pro behavior
| Plan | Prompt-injection protection |
|---|---|
| Free | Basic protection is on by default. Gate runs simple regex checks for common prompt-injection patterns and can flag or block according to your policy. You can turn it off from Policies. |
| Pro | Full prompt-injection protection. Gate adds advanced detection for paraphrased, indirect, obfuscated, and novel attacks, plus sensitivity controls and tool-result scanning. |
The Free scanner has narrower coverage than Pro. It is a simple pattern scan that catches the most direct attack types, such as obvious “ignore previous instructions” or role-override phrasing. It will miss many paraphrased, indirect, multilingual, split-turn, or novel attacks. If prompt injection is part of your real threat model, use Pro and tune the policy against your own traffic.
Policy actions
Open Policies, then configure Prompt injection detection.
Prompt-injection detections can be handled two ways:
- Flag: the request is forwarded, and the detection is recorded in Messages, Security, and the audit trail.
- Block: the request is rejected before it reaches the model.
New organizations default to Flag, so you can observe detections before turning on hard blocking. Pro organizations can also choose a sensitivity preset:
| Preset | Target false-positive rate | Use when |
|---|---|---|
| Low | ~0.5% | You want the fewest false positives and only want action on high-confidence attacks. |
| Medium | ~0.75% | You want a balanced default for production traffic. |
| High | ~1% | You want stricter detection and are willing to review more false positives. |
Sensitivity changes how aggressive detection is. Higher sensitivity catches more suspicious traffic, but it also increases the number of legitimate requests that may be flagged or blocked.
What a block looks like
A blocked request never reaches the model. Gate returns HTTP 403 in the same general error shape as the provider endpoint you called, with x-gate-error-source: gateway so you can attribute the rejection.
For OpenAI-compatible endpoints:
{ "error": { "code": "security_blocked", "message": "Request blocked by security policy.", "source": "gateway", "type": "permission_error" }}For the Anthropic Messages API:
{ "type": "error", "error": { "type": "permission_error", "message": "Request blocked by security policy." }}The response includes only the policy error, not matched content or scores. In the dashboard, request details show the affected request and a broad detection category.
For tools you do not control, such as Claude Code or Codex, the block appears as a normal HTTP error. The Gate dashboard gives you the request-level context.
In Claude Code, a block shows Gate’s security message. Claude Code may also add a note telling you to run /login; when the request was blocked by Gate security policy, that login message is not the cause and can be ignored.
Reviewing detections
Use Messages to inspect the affected request and Security to review detections over time. The dashboard shows broad detection categories, not scoring details.
If a legitimate request was flagged or blocked, use Report false positive on the request detail page. Reports are queued for review and recorded as part of the audit trail.
Limits
Prompt-injection defense is a guardrail, not a guarantee that every attack will be caught. Attackers can paraphrase, split instructions across turns, hide instructions in large documents, or invent techniques that have not appeared in training or evaluation data.
Use prompt-injection defense alongside standard application controls:
- Keep system instructions separate from user and tool content.
- Treat retrieved documents, web pages, emails, tickets, and tool output as untrusted data.
- Limit tool permissions to what the agent actually needs.
- Review blocked and flagged traffic before changing a policy from Flag to Block.
Related
- Security: all security checks, policy actions, redaction, storage, and audit behavior.
- How Gate works: where security checks sit in the request flow.
- Plans: Free and Pro feature availability.
- Audit trail: the tamper-evident record for requests and security events.