llm-security

Comprehensive security rules for building secure LLM applications. Based on the OWASP Top 10 for Large Language Model Applications 2025 - the authoritative guide to LLM security risks.

How It Works

• When building or reviewing LLM applications, reference these security guidelines

• Each rule includes vulnerable patterns and secure implementations

• Rules cover the complete LLM application lifecycle: training, deployment, and inference

Categories

Critical Impact

• LLM01: Prompt Injection - Prevent direct and indirect prompt manipulation

• LLM02: Sensitive Information Disclosure - Protect PII, credentials, and proprietary data

• LLM03: Supply Chain - Secure model sources, training data, and dependencies

• LLM04: Data and Model Poisoning - Prevent training data manipulation and backdoors

• LLM05: Improper Output Handling - Sanitize LLM outputs before downstream use

High Impact

• LLM06: Excessive Agency - Limit LLM permissions, functionality, and autonomy

• LLM07: System Prompt Leakage - Protect system prompts from disclosure

• LLM08: Vector and Embedding Weaknesses - Secure RAG systems and embeddings

• LLM09: Misinformation - Mitigate hallucinations and false outputs

• LLM10: Unbounded Consumption - Prevent DoS, cost attacks, and model theft

Usage

Reference the rules in rules/ directory for detailed examples:

• rules/prompt-injection.md - Prompt injection prevention (LLM01)

• rules/sensitive-disclosure.md - Sensitive information protection (LLM02)

• rules/supply-chain.md - Supply chain security (LLM03)

• rules/data-poisoning.md - Data and model poisoning prevention (LLM04)

• rules/output-handling.md - Output handling security (LLM05)

• rules/excessive-agency.md - Agency control (LLM06)

• rules/system-prompt-leakage.md - System prompt protection (LLM07)

• rules/vector-embedding.md - RAG and embedding security (LLM08)

• rules/misinformation.md - Misinformation mitigation (LLM09)

• rules/unbounded-consumption.md - Resource consumption control (LLM10)

• rules/_sections.md - Full index of all rules

Quick Reference

| Prompt Injection | Input validation, output filtering, privilege separation

| Sensitive Disclosure | Data sanitization, access controls, encryption

| Supply Chain | Verify models, SBOM, trusted sources only

| Data Poisoning | Data validation, anomaly detection, sandboxing

| Output Handling | Treat LLM as untrusted, encode outputs, parameterize queries

| Excessive Agency | Least privilege, human-in-the-loop, minimize extensions

| System Prompt Leakage | No secrets in prompts, external guardrails

| Vector/Embedding | Access controls, data validation, monitoring

| Misinformation | RAG, fine-tuning, human oversight, cross-verification

| Unbounded Consumption | Rate limiting, input validation, resource monitoring

Key Principles

• Never trust LLM output - Validate and sanitize all outputs before use

• Least privilege - Grant minimum necessary permissions to LLM systems

• Defense in depth - Layer multiple security controls

• Human oversight - Require approval for high-impact actions

• Monitor and log - Track all LLM interactions for anomaly detection

References

• OWASP Top 10 for LLM Applications 2025

• MITRE ATLAS - Adversarial Threat Landscape for AI Systems

• NIST AI Risk Management Framework