Promptshelf Pattern Deck · 25 defenses · 5 layers
Prompt injection defensive pattern deck · 25 patterns · 5 layers

Defender's view: 25 patterns for the LLM01 attack surface.

Prompt injection has no single fix. It's mitigated by layered defenses — input hardening, system prompt design, output control, tool and privilege, runtime monitoring. Each pattern here is a one-line summary plus a minimal code sample plus a primary-source citation. Pair with our Prompt Injection Puzzle which teaches the attack vocabulary; this deck teaches the defense vocabulary. Share any pattern via its #/pattern/<slug> permalink.

25 / 25 visible 5 / 5 layers on 25 patterns · 5 layers · primary sources cited
Bay 01

Filter by layer.

Layers
Showing all 25 patterns.
No patterns match these layers. Toggle a layer on or reset.
Bay 02

How to read this deck.

Every attack class in the Puzzle is mitigated by a stack of three to five patterns from different layers — not a single magic defense. Direct injection is stopped by input sanitization plus instruction precedence plus canned refusal; indirect injection needs dual-LLM separation plus output schema validation plus secret-leak scanning; tool-use hijack needs least-privilege plus human-in-the-loop plus tool allowlist. Pick your threat model, pick a pattern from each layer, stack them.

The code samples are deliberately minimal — illustrative shapes, not production-ready snippets. Each assumes you'll adapt it to your model provider, your runtime, and your data. Citations link to the primary source that best describes the pattern; follow them for rigorous treatment.

Bay 03

Compound with our other tools.

Attacker's view
Prompt Injection Puzzle
Ten client-side CTF levels covering OWASP LLM01 attack classes. Learn the vocabulary the payloads use before you design the defense stack.
Reference
CLAUDE.md Guide
How to write a system-prompt-style memory file that encodes role-locking, instruction precedence, and canned refusals for Claude Code workflows.
50 templates
Slash Command Snippet Library
Includes /review-security — an OWASP-top-10 sweep template that catches some of these same injection surfaces in your own code.
001 · Free ZIP
Claude Code Starter Kit
Skill templates for input validation, output schema, and tool allowlist patterns — the kit ships a sample sandboxed-tool-use skill.
Bay 04

FAQ.

What is this deck?
Twenty-five defensive patterns for prompt injection, organized across five layers: input hardening, system prompt design, output control, tools and privilege, and runtime monitoring. Each pattern is a one-line summary plus a minimal code or configuration sample plus a primary-source citation. It's the defender's companion to our Prompt Injection Puzzle, which teaches the attack vocabulary; this deck teaches the defense vocabulary.
Where are the patterns sourced from?
Primary sources are OWASP LLM01:2025 mitigations, Simon Willison's prompt-injection archive, NIST AI 100-2 2025 (Adversarial Machine Learning taxonomy), OpenAI's Instruction Hierarchy paper, and Anthropic's published work on Constitutional AI and Model Context Protocol. Each pattern card names the single source that best describes it.
Are these sufficient to stop prompt injection?
No. OWASP explicitly states that prompt injection has no general-purpose fix; layered defenses reduce risk but do not eliminate it. The deck is a starting point for your threat model — pick the subset of patterns that matches your application's surface, then stack them. The security community treats prompt injection the same way it treats SQL injection before parameterized queries existed: a class of bug you architect around, not a box you check.
How does the share URL work?
Every pattern card has a Permalink button that encodes the pattern's slug into the URL fragment as #/pattern/<slug>. Open that URL and the page scrolls to the matching card and highlights it for three seconds. The fragment is preserved across reloads and is share-safe — nothing leaks server-side.
Can I use these in commercial applications?
Yes. The patterns are well-known defensive techniques; nothing on this deck is proprietary. The code samples are deliberately minimal templates — they illustrate the shape but will need adaptation to your specific runtime, model provider, and data. Cite OWASP or the named primary source if you document your defenses internally.
How does this pair with the Prompt Injection Puzzle?
The Puzzle teaches ten attack classes — direct injection, delimiter escape, role-play, indirect, payload splitting, encoded/obfuscated, Unicode smuggling, multimodal, tool-use hijack, adversarial suffix. This deck maps twenty-five defensive patterns onto those classes. Most attack classes are mitigated by a stack of three to five patterns from different layers; no single defense addresses everything. Read the Puzzle first, then come here to design your stack.
Does this page send any data?
No. Filtering, permalink focus, and clipboard copy run entirely in the browser. No analytics, no telemetry, no third-party scripts other than Google Fonts (CSS-only). Your filter state lives in the URL fragment, not on any server.
How do I tip the maker?
BTC: bc1qs04leape97ner4wqa98n94l9n0gv9aa84eg4ux — copy button in the tip jar below. No accounts, no signup, no middleman. If this deck saved you from shipping a broken defense, a few thousand sats is a fair thanks — but everything on Promptshelf stays free whether or not you tip.

Saved you from shipping a broken defense? Tip the maker in BTC — no account, no signup, just paste.

BTC bc1qs04leape97ner4wqa98n94l9n0gv9aa84eg4ux