Originally published at claudeguide.io/claude-prompt-injection-defense
Claude Prompt Injection Defense: 7 Patterns That Work (2026)
Prompt injection is the OWASP #1 LLM vulnerability for 2026 — attackers smuggle instructions through tool outputs, retrieved documents, or user input, and trick Claude into bypassing safety rules. The 7 defenses below stop ~95% of real-world attempts: input sandboxing with explicit markers, role hierarchy enforcement, output validation, secret zoning, tool allow-listing, untrusted-content tagging, and confirmation gates for destructive actions. This guide is what actually works in production — not theoretical mitigations. Each pattern includes Python and TypeScript examples.
For Claude API basics, see the Claude API Security Guide.
What Prompt Injection Actually Looks Like
The naive mental model: "attacker types something malicious into the prompt." The real model: attackers embed instructions in places you read from but didn't write:
- Web pages scraped for context
- Email body parsed by an agent
- PDF contents in a RAG pipeline
- Database rows returned to the model
- Tool outputs (e.g., a search API result)
- Image alt text or QR codes in multimodal
Example attack inside a scraped web page:
html
<p style="font-size:1px"
Top comments (0)