Llm Data Leakage in Chi with Mutual Tls

LLM data leakage in a Chi application that uses mutual TLS (mTLS) occurs when sensitive information such as prompts, model outputs, or credentials traverses an unguarded channel or is exposed through logging or error handling, despite mTLS providing transport-layer identity assurance. In Chi, this typically arises when developers configure mTLS for client and server authentication but overlook protections for the data flowing inside secure sessions. For example, an LLM endpoint implemented as a Chi handler may inadvertently write full user prompts or API keys to application logs or return detailed error messages that include model responses, allowing an authenticated but compromised service or insider to exfiltrate sensitive data.

Mutual TLS ensures that both client and server present valid certificates, which prevents many network-level attacks such as man-in-the-middle. However, mTLS does not prevent application-layer data exposure. In Chi, an LLM handler that accepts a request containing a user prompt and forwards it to an external model might log the prompt for debugging. If the log level is verbose or if structured logs include the full request body, sensitive content can be retained in log stores. Similarly, if the LLM response contains personal data or API keys and the handler does not sanitize the output before sending it back to the client, leakage occurs over the mTLS-encrypted channel. Attackers who have obtained a valid client certificate—through misconfiguration or credential theft—can leverage these application-layer gaps to access or infer sensitive information.

Another scenario involves improper certificate management in Chi routes that serve LLM endpoints. If mTLS is enforced globally but route-specific security policies are inconsistent, some endpoints might accept unauthenticated or improperly authenticated requests. For instance, a Chi router might apply mTLS middleware to most routes but omit it for a health-check or legacy endpoint that interacts with the LLM service. This inconsistency creates a pathway where an unauthenticated caller could probe the system and potentially trigger information disclosure through error handling or metadata leakage in LLM responses. Even when mTLS is correctly configured, failing to rotate certificates or to revoke compromised credentials quickly can prolong exposure of sensitive data processed by the LLM.

Developers should treat mTLS as one layer of defense and apply additional controls around LLM data handling in Chi. This includes redacting or masking sensitive input before logging, ensuring that LLM outputs are filtered for secrets or PII before transmission, and using structured error handling that does not expose internal prompts or model details. Instrumentation should capture security-relevant events without retaining raw sensitive data. For example, instead of logging the full request, log only a hashed identifier and the outcome category. These practices reduce the risk that authenticated sessions protected by mTLS still leak data through the application logic surrounding LLM interactions.

As an example, consider a Chi handler that forwards a user query to an LLM and streams the response:

(ns app.llm-handler
  (:require [cheshire.core :as json]
            [clj-http.client :as http]))

(defn safe-llm-handler [request]
  (let [prompt (:body request)
        ;; Avoid logging raw prompt in production
        _ (when (not= (:env request) "prod")
            (println "DEBUG: received prompt" prompt))
        response (http/post "https://api.example.com/v1/completions"
                            {:headers {"Authorization" (str "Bearer " (:api-key request))}
                             :body (json/generate-string {:prompt prompt})})]
    {:status 200
     :body (:body response)}))

In this snippet, the prompt is printed to standard output when not in production, which could lead to leakage in logs. A safer approach is to avoid logging the prompt entirely or to hash it for audit purposes. Additionally, the handler should ensure that the LLM response is scanned for secrets before inclusion in the HTTP body, and that mTLS is enforced at the server level so that only clients with valid certificates can invoke the route.

Remediation for LLM data leakage in Chi with mTLS focuses on minimizing data exposure at the application layer while preserving the integrity of mutual authentication. Concrete steps include strict input and output handling, careful logging strategies, and robust certificate lifecycle management. The following code examples illustrate secure patterns for a Chi application that integrates mTLS and interacts with an LLM.

First, enforce mTLS at the server level and define a Chi route that requires client certificates. Use middleware to validate the client certificate and extract identity information without relying on the request body for authorization decisions.

(ns app.mtls-config
  (:require [cheshire.core :as json]
            [clj-http.client :as http]
            [ring.middleware.anti-forgery :refer [anti-forgery-field]
             [ring.middleware.anti-forgery :refer [wrap-anti-forgery]]]
            [buddy.sign.jwt :as jwt]))

(defn verify-client-cert [handler]
  (fn [request]
    (let [client-cert (some-> request :ssl-client-cert)]
      (if (and client-cert (valid-certificate? client-cert))
        (handler request)
        {:status 403 :body "Forbidden"}))))

(defn wrap-logging [handler]
  (fn [request]
    (let [correlation-id (java.util.UUID/randomUUID)]
      ;; Log only correlation ID and route, never raw prompt or response
      (println (str "[" correlation-id "] " (:request-method request) " " (:uri request)))
      (handler request))))

(def app
  (-> (routes
        (GET "/llm/completion" request
             (let [prompt (sanitize-input (:body request))
                   api-key (:api-key request)]
               (try
                 (let [response (call-llm prompt api-key)]
                   {:status 200
                    :body (sanitize-output response)})
                 (catch Exception e
                   {:status 500
                    :body (str "Internal error")}))))
        (wrap-logging)
        (verify-client-cert))
      (wrap-anti-forgery)))n

In this example, verify-client-cert ensures that only requests with valid client certificates are processed. The logging middleware records a correlation ID and HTTP method and URI, avoiding inclusion of sensitive payloads. The sanitize-input and sanitize-output functions represent placeholders for validation and filtering logic that remove or mask secrets and PII before storage or transmission.

When calling the LLM, use a dedicated client that enforces timeouts and does not follow redirects unexpectedly, reducing SSRF and data exfiltration risks. Never include raw API keys in URLs or logs; instead, pass them via secure configuration or environment variables accessible to the Chi application at runtime.

(ns app.llm-client
  (:require [clj-http.client :as http]
            [cheshire.core :as json]))

(defn call-llm [prompt api-key]
  (let [url "https://api.example.com/v1/completions"
        payload (json/generate-string {:model "text-davinci-003" :prompt prompt :max_tokens 100})]
    (http/post url
               {:headers {"Authorization" (str "Bearer " api-key)
                          "Content-Type" "application/json"}
                :body payload
                :conn-timeout 5000
                :socket-timeout 10000
                :throw-exceptions true})))

This client isolates the network call and ensures that exceptions are propagated as errors rather than leaking stack traces. By combining mTLS enforcement, disciplined logging, and careful handling of LLM inputs and outputs, Chi applications can significantly reduce the likelihood of LLM data leakage while maintaining secure authenticated communication.