Prompt hardening
System Prompt Leak Prevention
System prompts should be useful operational guidance, not secret vaults. Reduce leak impact by removing secrets and enforcing policy outside the model.
Updated 2026-07-06
Design prompts as visible guidance
A system prompt can define tone, role, constraints, and task framing. It should not contain credentials, API keys, hidden allow-lists, private customer data, unreleased business logic, or the only copy of a security policy. Treat it like configuration that might be inspected, logged, or quoted.
This posture changes the question from "how do we make the prompt impossible to reveal?" to "what happens if a user sees it?" A well-designed system has a boring answer: they learn how the assistant is supposed to behave, but they do not receive secrets or new authority.
Remove high-impact material
- Secrets and tokens: keep them in secret management and server-side code.
- Hidden policy logic: enforce user permissions, tool access, and content policy outside the model.
- Sensitive architecture details: describe behavior without exposing internal systems that do not need to be prompt-visible.
- Bypass instructions: avoid writing a map of what the assistant should never disclose if ordinary code can enforce the rule.
Harden what remains
Good prompt guidance names trust boundaries. Tell the assistant which content is user intent, which content is untrusted data, and which outputs require application validation. Give it a safe fallback when data is missing. Require structured output where the application expects structure. Require confirmation before high-impact actions, then make the product UI enforce that confirmation.
Use the system prompt linter to catch common gaps, then use the risk checklist to review the application controls around the prompt. A prompt can ask for safe behavior; the application has to make unsafe behavior hard to execute.
Prompt leakage
Prompt injection explained
Developer framing for why prompt injection targets applications and why prompts should not be treated as secret security boundaries.
OWASP
OWASP LLM01:2025 Prompt Injection
Guidance on direct and indirect prompt injection risks and mitigation themes.
Architecture
The Dual LLM pattern
A pattern for separating privileged model decisions from untrusted-content processing.
System prompt leak FAQ
Is a system prompt leak always a breach?
It depends on what the prompt contains. A leak is much worse if the prompt contains secrets, sensitive architecture details, hidden policy logic, or instructions that enable bypasses.
Can wording stop users from extracting a system prompt?
Wording can reduce casual leakage, but it is not a security boundary. Design prompts as if they may be seen and keep real secrets elsewhere.
What should a hardened system prompt contain?
It should describe role, task boundaries, untrusted content handling, tool-use expectations, output format, and escalation behavior, while leaving enforcement to application code.