Llm Data Leakage in Chi with Basic Auth

Chi is a runtime environment commonly used for serverless functions and API services. When an endpoint in Chi is protected only by HTTP Basic Authentication and also exposes an LLM integration (for example, a chat-completion route or a tool-use endpoint), there is a risk that prompts, system instructions, or other sensitive runtime data leak through LLM outputs. This can occur when error messages, debug content, or verbose logging are returned in the LLM response and inadvertently reveal credentials, internal service names, or configuration details.

Basic Authentication sends credentials in an Authorization header encoded as Base64, not encrypted. If the Chi service does not enforce strict transport-level protections and an LLM endpoint reflects request context in its replies, an attacker who can probe the endpoint might infer whether Basic Auth is in use and attempt to coax credential information via prompt-injection or output extraction techniques. middleBrick’s LLM/AI Security checks include system prompt leakage detection and active prompt injection testing specifically designed to uncover these cross-vector exposures, including attempts to extract credentials that are present only in request headers or runtime context.

During a scan, middleBrick analyzes the API specification (OpenAPI/Swagger with full $ref resolution) and runs the unauthenticated attack surface tests. For a Chi endpoint using Basic Auth, the scanner checks whether the LLM output can disclose the authorization header’s effective realm, service name, or any embedded identifiers. Findings may surface as instances where error replies include stack traces referencing Chi routes or modules, or where crafted prompts cause the model to echo parts of the request context. Because the scanner does not authenticate, it focuses on what an unauthenticated attacker could observe: verbose messages, misconfigured CORS, or insecure logging that appears in LLM responses.

Remediation guidance from middleBrick emphasizes defense-in-depth: enforce TLS for all traffic, avoid embedding secrets in prompts or logs, and treat LLM endpoints as untrusted output channels. The combination of Basic Auth and LLM interfaces in Chi requires careful input validation and output sanitization to ensure that no internal identifiers or credential hints appear in model replies. middleBrick’s per-category breakdowns map findings to frameworks such as OWASP API Top 10 and provide prioritized remediation steps, helping teams understand the severity and exact configuration to review.

Using the middleBrick CLI, you can scan a Chi endpoint with middlebrick scan https://api.example.com and receive a report that includes an LLM/AI Security section highlighting any detected leakage patterns. The dashboard allows you to track scores over time, while the Pro plan’s continuous monitoring can schedule regular scans and raise alerts if risk scores degrade. Remember, middleBrick detects and reports these issues; it does not fix or block them directly, so follow the provided remediation guidance to adjust your Chi service configuration and secure the LLM interaction path.

To reduce the risk of LLM data leakage when using Basic Authentication in Chi, apply strict transport security, sanitize outputs, and avoid exposing sensitive context to the model. Below are concrete practices and code examples you can adapt to your Chi service.

• Enforce HTTPS for all routes. Without TLS, Base64-encoded credentials in the Authorization header can be intercepted. Configure your Chi server to redirect HTTP to HTTPS and require secure connections.
• Do not include credentials in prompts, logs, or error messages that could be echoed by the LLM. Ensure your logging middleware redacts the Authorization header before writing entries that might be surfaced through LLM outputs.
• Validate and sanitize any user input that influences LLM prompts. Use strict allowlists for expected values and reject malformed or suspicious payloads before they reach the model.
• Isolate the LLM endpoint from internal service metadata. Avoid returning stack traces or module paths in production error responses, and standardize error payloads to generic messages.

Example: Securing a Chi HTTP function with Basic Auth and an LLM endpoint.

// chi_llm_secure.js — Chi function with Basic Auth and LLM call
import { createRouter } from 'itty-router';
import { basicAuth } from 'itty-router-basic-auth';
import fetch from 'node-fetch';

const router = createRouter();

// Simple in-memory user store; use a secure vault in production
const users = {
  'analyst': 's3cr3tP@ss',
};

// Apply Basic Auth middleware
router.use(basicAuth(users));

// Secure LLM handler
router.post('/chat/completions', async (request) => {
  // Ensure TLS is enforced at the edge or ingress; reject non-HTTPS in production checks
  const authorization = request.headers.get('authorization');
  if (!authorization || !authorization.startsWith('Basic ')) {
    return new Response(JSON.stringify({ error: 'Unauthorized' }), { status: 401, headers: { 'Content-Type': 'application/json' } });
  }

  const body = await request.json().catch(() => ({}));
  const userPrompt = typeof body?.prompt === 'string' ? body.prompt : '';

  // Sanitize input: reject control characters and very long prompts
  if (!userPrompt || userPrompt.length > 2000 || /[\x00-\x1F\x7F]/.test(userPrompt)) {
    return new Response(JSON.stringify({ error: 'Invalid input' }), { status: 400, headers: { 'Content-Type': 'application/json' } });
  }

  // Call the LLM endpoint; avoid injecting request metadata into the prompt
  const llmResponse = await fetch('https://llm-provider.example.com/v1/completions', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.LLM_API_KEY}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      model: 'gpt-4o-mini',
      messages: [{ role: 'user', content: userPrompt }],
      // Do not include debug info or internal identifiers in the request to the LLM
    }),
  });

  const data = await llmResponse.json();

  // Basic output guard: do not forward raw model responses that may contain secrets
  if (!data.choices || !Array.isArray(data.choices) || data.choices.length === 0) {
    return new Response(JSON.stringify({ error: 'Model response error' }), { status: 502, headers: { 'Content-Type': 'application/json' } });
  }

  const content = data.choices[0]?.message?.content ?? '';
  // Optional: run a simple PII/key regex filter before returning
  const filtered = content
    .replace(/\b[A-Za-z0-9+/=]{20,}==?\b/g, '[REDACTED]')
    .replace(/\bsk_live_[a-zA-Z0-9]{20,}\b/g, '[REDACTED]');

  return new Response(JSON.stringify({ choices: [{ message: { content: filtered } }] }), {
    headers: { 'Content-Type': 'application/json' },
  });
});

export default router;

In this example, credentials are used only for incoming request validation and are never included in the prompt sent to the LLM. The response filters potential secrets before returning data to the caller. Combine this with middleware that redacts sensitive headers from logs and you reduce the chance of LLM-driven leakage in Chi services using Basic Auth.

For teams using the middleBrick ecosystem, the CLI command middlebrick scan https://api.example.com will highlight unauthenticated LLM exposure risks and provide remediation steps. The Pro plan can schedule these scans and alert on regressions, while the MCP Server lets you trigger scans from your AI coding assistant within the IDE.