Llm Data Leakage in Actix with Bearer Tokens

When an Actix web service uses Bearer Tokens for authorization and also exposes an endpoint that interacts with an LLM, there is a risk that sensitive token values or other authentication context are included in prompts or logged outputs. This can happen when request metadata (e.g., headers, authorization context) is inadvertently passed into the model input, either directly by developer code or through framework-level logging and tracing integrations. If an attacker can influence the request content or observe side channels, they may be able to induce the LLM to reveal tokens or other data it should not expose.

middleBrick detects this by treating the unauthenticated scan target as an unknown surface: it probes the API to identify endpoints that accept authorization headers and then checks whether any LLM-related endpoints or handlers reflect, echo, or process authorization-derived data. The LLM/AI Security checks include system prompt leakage patterns, active prompt injection probes, and output scanning for secrets such as API keys and Bearer Tokens. In the context of Actix, if a route like /chat or /completion receives an Authorization header and forwards raw request data or headers into the LLM call, middleBrick can flag the behavior as potential data leakage.

For example, consider an Actix handler that builds a prompt from user input and also attaches the authorization context for debugging or personalization. If the handler does not carefully sanitize what is sent to the LLM, a crafted request might cause the model to reproduce the token in its response. middleBrick’s output scanning looks for Bearer Tokens in model responses and surfaces findings with severity levels and remediation guidance, helping developers understand where token handling must be constrained.

Additionally, the scanner cross-references the OpenAPI spec (if available) with runtime behavior. If the spec documents an Authorization header requirement but the LLM endpoint does not clearly isolate token usage, this discrepancy is highlighted as a finding. This is important for Actix services that define scopes or roles in token claims and then forward unstructured user input to LLM services without strict schema validation or input filtering.

Because Actix is a Rust framework that often emphasizes performance and typed routing, developers may inadvertently pass authorization information through request extensions or logging middleware that later feeds into an LLM call. middleBrick’s checks for unsafe consumption and property authorization help surface these indirect paths by comparing declared security schemes with actual runtime behavior, focusing on whether Bearer Tokens appear in model prompts or responses.

To reduce the risk of LLM data leakage involving Bearer Tokens in Actix, ensure that tokens are never included in prompts or logged outputs. Instead, use the token strictly for authentication and authorization at the framework boundary, and keep it out of any data structures that are passed to LLM handlers.

Here is an example of an unsafe Actix handler that forwards headers into an LLM call:

// UNSAFE: exposes Bearer Token to LLM
async fn unsafe_chat(
    req: HttpRequest,
    body: String,
) -> Result {
    let auth_header = req.headers().get("Authorization")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("");
    let prompt = format!("User: {}\nAuth: {}\nQuery: {}", auth_header, body);
    let llm_response = call_llm(&prompt).await?;
    Ok(HttpResponse::Ok().body(llm_response))
}

In the above, the Authorization header is directly concatenated into the prompt, which can lead to leakage if the LLM echoes it. A safer approach is to validate the token early and then exclude it from the prompt:

// SAFE: token used only for auth checks, not sent to LLM
async fn safe_chat(
    req: HttpRequest,
    body: String,
) -> Result {
    // Validate Bearer Token for access control, do not forward to LLM
    let token = req.headers().get("Authorization")
        .and_then(|v| v.to_str().ok())
        .filter(|v| v.starts_with("Bearer "))
        .map(|v| &v[7..])
        .ok_or_else(|| error::ErrorUnauthorized("invalid auth"))?;

    // Perform authorization checks using token (e.g., verify scopes)
    if !is_valid_token(token) {
        return Err(error::ErrorForbidden("insufficient scope"));
    }

    // Build prompt without auth context
    let prompt = format!("User query: {}", body);
    let llm_response = call_llm(&prompt).await?;
    Ok(HttpResponse::Ok().body(llm_response))
}

For applications using Actix extractors, prefer typed extractors and avoid passing headers into payloads that reach LLM logic. You can also centralize authentication by implementing a guard that verifies Bearer Tokens before the handler runs, ensuring the handler never sees the raw Authorization header:

// Using a guard to strip auth before handler
fn with_auth_middleware(
    req: ServiceRequest,
    credentials: &str,
) -> Result {
    if validate_bearer(credentials) {
        // Remove auth from extensions if not needed downstream
        let req = req.map_into_right_body();
        Ok(req)
    } else {
        Err((error::ErrorUnauthorized("invalid token"), req))
    }
}

// Handler only receives the sanitized request
async fn chat_handler(body: String) -> impl Responder {
    let prompt = format!("Query: {}", body);
    let llm_response = call_llm(&prompt).await.unwrap();
    HttpResponse::Ok().body(llm_response)
}

Additionally, review logging and tracing configurations in Actix to ensure that Authorization headers are not captured in access logs or tracing spans that might be visible to the LLM or stored insecurely. These practices align with the remediation guidance provided by middleBrick findings, which include specific steps to prevent tokens from appearing in model outputs and to map findings to frameworks such as OWASP API Top 10.

• How does middleBrick detect LLM data leakage involving Bearer Tokens in Actix APIs? It runs unauthenticated probes that include sending requests with Bearer Tokens and checks whether any LLM-related endpoints reflect those tokens in responses, while also comparing declared authentication requirements in OpenAPI specs with observed runtime behavior.
• Does fixing LLM data leakage in Actix require changes to the LLM service or only the Actix application? Remediation focuses on the Actix application: ensure tokens are used only for authorization at the edge and are never included in prompts, request bodies, or logs that reach the LLM; changes to the LLM service itself are typically not required.