Llm Data Leakage in Hapi with Mutual Tls

When LLM endpoints are served behind Mutual TLS (mTLS) in Hapi, a common misconfiguration can unintentionally expose sensitive prompts, system instructions, or internal tool usage patterns. Although mTLS strengthens transport-layer identity verification, it does not prevent an LLM from leaking data in its responses. middleBrick’s LLM/AI Security checks specifically test for system prompt leakage, output PII, and exposed tool call details, which can occur when Hapi routes forward user input directly to an LLM without sufficient output controls.

In a typical Hapi setup with mTLS, the server authenticates clients via client certificates, but the application logic may still pass raw user messages to an LLM endpoint. If the LLM is misconfigured or prompted poorly, it can echo back system instructions, reveal tool schemas, or expose private data embedded in prompts. This is especially risky when the LLM endpoint is unauthenticated or when API keys are handled insecurely. middleBrick detects system prompt leakage using 27 regex patterns tailored to formats such as ChatML, Llama 2, Mistral, and Alpaca, and it actively probes for jailbreaks and data exfiltration paths that can bypass expected safeguards.

Additionally, excessive agency detection is critical in this context. Hapi services that integrate LLMs with tool calling or function_call capabilities may inadvertently allow an attacker to coerce the model into performing unauthorized actions or revealing internal agent states. Because mTLS ensures who is connecting but not what the LLM outputs, a poorly designed prompt or tool schema can lead to sensitive information appearing in responses. The LLM/AI Security checks scan for PII, API keys, and executable code in LLM responses, flagging cases where tool calls or LangChain agent patterns expose more than intended.

Another subtle risk arises when unauthenticated LLM endpoints are accessible within a mTLS-protected network. Even with client certificates, if the LLM route does not enforce its own access controls, malicious actors who obtain a valid certificate might probe for prompt injection or cost exploitation. middleBrick’s active prompt injection testing includes five sequential probes—system prompt extraction, instruction override, DAN jailbreak, data exfiltration, and cost exploitation—to surface these issues in Hapi deployments. These tests help identify whether LLM responses leak system prompts or enable unauthorized behavior, regardless of the transport-layer security provided by mTLS.

Operational visibility is essential. middleBrick’s OpenAPI/Swagger spec analysis correlates mTLS expectations defined in the spec with runtime behavior, ensuring that security configurations align with actual endpoints. This approach surfaces inconsistencies, such as missing security schemes or overly permissive routes, that could allow LLM data leakage despite the presence of mTLS. By combining runtime scans with spec-aware analysis, middleBrick provides prioritized findings with severity ratings and remediation guidance tailored to Hapi-based LLM integrations.

To reduce LLM data leakage risk in Hapi while using Mutual TLS, apply strict request validation, minimize exposed information in prompts, and enforce robust output filtering. The following patterns demonstrate secure Hapi server configurations that align with mTLS best practices and reduce the likelihood of unintended data exposure.

1. Enforce mTLS and Validate Client Certificates

Ensure your Hapi server is configured to require and validate client certificates. This prevents unauthenticated access to LLM routes even within a trusted network.

const Hapi = require('@hapi/hapi');
const tls = require('tls');

const init = async () => {
  const server = Hapi.server({
    port: 443,
    host: 'api.example.com',
    tls: {
      cert: tls.createSecureContext({
        cert: 'server-cert.pem',
        key: 'server-key.pem',
      }),
      requestCert: true,
      rejectUnauthorized: true,
      ca: ['client-ca.pem'],
    },
  });

  server.route({
    method: 'POST',
    path: '/llm/chat',
    options: {
      tls: {
        cert: tls.createSecureContext({
          cert: 'server-cert.pem',
          key: 'server-key.pem',
        }),
        requestCert: true,
        rejectUnauthorized: true,
        ca: ['client-ca.pem'],
      },
      validate: {
        payload: {
          message: Joi.string().required().max(2000),
          userId: Joi.string().guid().required(),
        },
        headers: Joi.object({
          'x-client-id': Joi.string().required(),
        }).unknown(),
      },
    },
    handler: (request, h) => {
      // Process request securely
      return { status: 'ok' };
    },
  });

  await server.start();
};

init();

2. Sanitize Inputs and Restrict LLM Tool Usage

Limit what information is sent to the LLM and avoid exposing internal tool schemas. Validate and sanitize all inputs before forwarding them to the LLM endpoint.

const sanitizeInput = (input) => {
  return input.replace(/