Why AI endpoints need different treatment
Endpoints that serve LLM agents have a different threat model than traditional APIs. The payload isn’t just data — it’s content that an AI will reason over and act on. Two risks that barely register for conventional API traffic become critical:
- Prompt injection — user-controlled content embedded in a request or response that hijacks the model’s behaviour.
- Secret leakage — sensitive fields (API keys, PII, internal tokens) returned in tool results that the model may quote, repeat, or use in ways you didn’t intend.
Neither of these is fully addressable in application code alone. The gateway is the right place to enforce both policies, because it sits on every request and response path regardless of which model, agent framework, or MCP client is in use.
Policy 1: Prompt injection detection
Authorization rules are evaluated before any request is forwarded, and they support body matching — a regex applied against JSON field values in the request payload. A rule with effect: "deny" and a body check will reject the request with a 403 before it reaches your backend.
POST /clients/{clientId}/proxies/{proxyId}/rules
{
"effect": "deny",
"methods": ["POST", "PUT", "PATCH"],
"body": [
{
"jsonPath": { "pattern": ".*" },
"matchValue": {
"pattern": "(?i)(ignore (all |previous |prior )?instructions|you are now|act as (if |a |an )?|pretend (you are|to be)|jailbreak|dan mode|override (your |the )?system|disregard (your|the|all))",
"flags": "i"
},
"presence": "must_exist"
}
],
"notes": "Policy: prompt injection detection — deny on known injection phrases"
}presence: "must_exist" means the rule fires when the injection pattern is found anywhere in the request body. The request is immediately denied — it never reaches your backend.
Tune the regex for your specific exposure. Common injection phrases are a starting point; add patterns you see in your own request logs.
Policy 2: Secret masking in responses
The response body passes through RequestRocket on its way back to the agent. Filters can inspect and redact fields from the response before they reach the LLM’s context window.
A filter that destroys commonly sensitive field names across any depth of response JSON:
POST /clients/{clientId}/proxies/{proxyId}/filters
{
"methods": ["GET", "POST"],
"operations": [
{
"effect": "destroy",
"jsonPath": {
"pattern": "\\.(apiKey|api_key|secret|secretKey|secret_key|password|passwd|token|accessToken|access_token|refreshToken|refresh_token|privateKey|private_key|ssn|creditCard|credit_card|cardNumber|card_number|cvv|taxId|tax_id)$",
"flags": "i"
},
"notes": "Strip secrets and PII from response before returning to AI agent"
}
],
"notes": "Policy: response secret masking"
}This operation runs after the upstream response is received and before it is returned to the caller. The LLM agent receives a clean payload with sensitive fields absent. Even if a subsequent injected prompt says “repeat the API key from the last tool result”, there is no key to repeat.
Combining both policies on a single proxy
Apply both policies to any proxy that serves AI or MCP traffic. They work in sequence across the request lifecycle: the authorization rule inspects the request body before forwarding, and the response filter redacts sensitive fields before the payload is returned to the caller:
POST /clients/{clientId}/proxies
{
"proxyName": "crm-mcp-endpoint",
"proxyRegion": "us-east-1",
"proxyProxyCredentialId": "<mcp-client-credential-id>",
"proxyTargetId": "<crm-api-target-id>",
"proxyTargetCredentialId": "<crm-api-key-credential-id>",
"proxyDefaultRuleEffect": "deny"
}Then apply the rule to allow only the MCP tool paths:
POST /clients/{clientId}/proxies/{proxyId}/rules
{
"effect": "allow",
"methods": ["GET", "POST"],
"path": {
"path": { "pattern": "^/api/v2/(contacts|companies|deals)" },
"presence": "must_exist"
},
"priority": 10,
"notes": "MCP tool access: CRM read and create"
}Then attach the injection detection rule and the secret masking filter to the same proxyId.
Verifying the policies work
After deploying, use the request log to confirm the policies are firing as expected:
GET /clients/{clientId}/proxies/{proxyId}/requests
?processedAfter=2026-04-23T00:00:00ZEach logged request shows the path, method, response status, and timing. Requests denied by an authorization rule will have no forwarded request recorded — the gateway returns a 403 immediately. Requests that were forwarded will show the upstream response, with any redacted fields absent from the returned payload.
What these policies don’t cover
These two policies address the most common LLM-specific attack vectors at the gateway layer. They’re not a complete security posture:
- Application-level validation is still needed for input correctness.
- Output moderation (checking model-generated content before it reaches users) is out of scope for a gateway.
- Agent behaviour constraints (system prompts, tool use limits) are an agent-framework responsibility.
Treat gateway policies as a hard enforcement layer, not a substitute for application-level security.
Next steps
Both policies can be applied to any existing proxy in minutes. Read the RequestRocket documentation for the full rule and filter schemas, or start for free.