Mitigate jailbreaks and prompt injections

Jailbreaking and prompt injection are attempts to make Claude ignore its guidelines or your instructions. While Claude is inherently resilient to such attacks, the additional steps on this page strengthen your guardrails, particularly against uses that violate our Terms of Service or Usage Policy.

These attacks fall into two categories with different threat models:

• Jailbreaks and direct prompt injection, where the user of your application is the adversary and crafts inputs intended to bypass your guardrails.
• Indirect prompt injection, where the user is trusted but Claude processes third-party content (web pages, emails, documents, tool results) that contains adversarial instructions.



Jailbreaks and direct prompt injection

In this threat model, a user is deliberately crafting inputs to manipulate your application into producing content or taking actions you don't want it to. These mitigations strengthen your application's guardrails:

• Harmlessness screens: Use a lightweight model like Claude Haiku 4.5 to pre-screen user input before it reaches your main conversation. Use structured outputs to constrain the response to a simple classification.

  Example: Harmlessness screen for content moderation

• Input validation: Filter user input for known injection patterns before it reaches Claude. You can use an LLM to create a generalized validation screen by providing known jailbreaking language as examples.

• Prompt engineering: Craft system prompts that emphasize ethical and legal boundaries, and that explicitly tell Claude how to refuse.

  Example: Ethical system prompt for an enterprise chatbot

• Respond to repeat offenders: Adjust responses and consider throttling or banning users who repeatedly attempt to circumvent your application's guardrails. For example, if a particular user triggers the same kind of refusal multiple times (such as "output blocked by content filtering policy"), tell the user that their actions violate the relevant usage policies and take action accordingly.



Indirect prompt injection

In this threat model, you're protecting your users from instructions embedded in content that Claude reads on their behalf: the body of an inbound email, a fetched web page, OCR output from an uploaded file, or the result of a tool call. An attacker who can influence that content may embed instructions that try to redirect Claude.

Structure your application so that Claude can reliably distinguish untrusted content from your instructions:

• Put untrusted content only in tool results. Deliver third-party content to Claude inside tool_result blocks, never in system prompts or plain user text blocks. Claude is trained to treat instructions that appear inside tool results with appropriate skepticism. See Handle tool calls for the tool_result format.

• Tell Claude what the content is and where it came from. In the tool's description, or in the structure of the result itself, make the nature and source of the content explicit: for example, that it is the body of an inbound email from an unknown sender, or OCR text extracted from a user-uploaded image. This context helps Claude calibrate how much to trust embedded directives.

• State the policy in your system prompt. Tell Claude explicitly that content returned from tools, documents, or searches is untrusted data and must never override the system prompt or the user's original request.

  Example: System prompt guidance for a document-processing agent



Continuous monitoring

Regularly analyze outputs for signs of successful injection. Use this monitoring to iteratively refine your prompts, validation, and filtering strategies.



Advanced: Chain safeguards

Combine strategies for robust protection. Here's an enterprise-grade example with tool use:

By layering these strategies, you create a robust defense against jailbreaking and prompt injections, ensuring your Claude-powered applications maintain the highest standards of safety and compliance.