| Bearer tokens | `Bearer ...` (20+ char tokens) |
Secrets detection runs **before** PII detection. Three actions available:
-- **block** (default): Returns HTTP 422, request never reaches LLM
+- **block** (default): Returns HTTP 400, request never reaches LLM
- **redact**: Replaces secrets with placeholders, unredacts in response (reversible)
- **route_local**: Routes to local LLM (route mode only)
log_detected_types: true # Log types (never logs content)
```
-- **block** (default): Returns HTTP 422 error, request never reaches LLM
+- **block** (default): Returns HTTP 400 error, request never reaches LLM
- **redact**: Replaces secrets with placeholders, unredacts in response (reversible, like PII masking)
- **route_local**: Routes to local provider when secrets detected (requires route mode)
enabled: true
# Action to take when secrets are detected:
- # block: Block the request with HTTP 422 (default, secure-by-default)
+ # block: Block the request with HTTP 400 (default, secure-by-default)
# redact: Replace secrets with placeholders, unmask in response (reversible)
# route_local: Route to local provider (only works in route mode)
action: block
const secretTypes = secretsResult.matches.map((m) => m.type);
const secretTypesStr = secretTypes.join(",");
- // Block action - return 422 error
+ // Block action - return 400 error
if (config.secrets_detection.action === "block") {
// Set headers before returning error
c.header("X-PasteGuard-Secrets-Detected", "true");
git.99rst.org / sgasser-llm-shield.git / commitdiff