Llm Data Leakage in Express with Api Keys

When an Express application exposes API keys in prompts supplied to an LLM endpoint, it creates a channel for LLM data leakage. Because the LLM may echo or expose its reasoning, tool usage, or generated content, keys that appear in system prompts, user messages, or tool call arguments can be revealed in responses. middleBrick’s LLM/AI Security checks detect system prompt leakage patterns (27 regexes covering ChatML, Llama 2, Mistral, and Alpaca formats) and actively probe for prompt injection, jailbreaks, and data exfiltration to uncover such exposure.

In Express, common causes include constructing system prompts or tool schemas that interpolate API key variables, logging keys in debug output that the LLM can influence, or failing to sanitize user input before it reaches the LLM. For example, passing raw request headers or query parameters directly into a tool definition can allow an attacker to inject a key into a prompt if the application does not validate or isolate external data. middleBrick’s Unauthenticated LLM endpoint detection flags scenarios where an LLM endpoint is reachable without proper controls, increasing the risk that an exposed key can be probed remotely.

Another vector is excessive agency: if the Express app configures the LLM client with tool_calls or function_call patterns that include sensitive metadata, an attacker may coax the model into returning those values through crafted outputs. middleBrick’s Output scanning for PII, API keys, and executable code inspects LLM responses for secrets, while the LLM/AI Security checks flag patterns such as LangChain agent workflows that inadvertently broaden model capabilities.

Because the scan is black-box and runs 12 checks in parallel, middleBrick can identify whether an Express endpoint with LLM integration leaks API keys without requiring credentials or source code. Findings include severity, context, and remediation guidance mapped to frameworks like OWASP API Top 10 and PCI-DSS, helping teams understand the exploitability of key exposure through the LLM surface.

To prevent LLM data leakage of API keys in Express, isolate sensitive values from prompts and enforce strict input validation. Do not interpolate keys into system messages or tool definitions that may be reflected in LLM outputs. Use environment variables and runtime checks to ensure keys are never part of user-influenced data structures.

// Safe Express setup: keep API keys out of LLM prompts
require('dotenv').config();
const express = require('express');
const { OpenAI } = require('openai');

const app = express();
app.use(express.json());

const client = new OpenAI({
  apiKey: process.env.OPENAI_API_KEY,
});

// Example: call LLM without exposing the key in prompts or tool schemas
app.post('/analyze', async (req, res) => {
  const userMessage = req.body.message;
  if (!userMessage || typeof userMessage !== 'string') {
    return res.status(400).json({ error: 'Invalid message' });
  }

  try {
    const completion = await client.chat.completions.create({
      model: 'gpt-4o-mini',
      messages: [
        { role: 'system', content: 'You are a helpful assistant. Do not reveal internal configuration or secrets.' },
        { role: 'user', content: userMessage },
      ],
      // Do not include tool schemas that embed API keys
    });

    res.json({ response: completion.choices[0]?.message?.content || '' });
  } catch (err) {
    console.error('LLM request failed:', err.message);
    res.status(500).json({ error: 'Analysis unavailable' });
  }
});

app.listen(3000, () => console.log('Server running on port 3000'));

If you must pass metadata to tools, use indirect references (e.g., key IDs) and resolve them server-side without exposing raw values. Validate and sanitize all inputs, apply rate limiting, and avoid logging sensitive fields. middleBrick’s CLI can be used in scripts to verify that endpoints do not reflect keys in responses, and the GitHub Action can enforce a security score threshold before deployment.

For continuous assurance, the Pro plan enables scheduled scans and alerts, while the MCP Server allows you to scan APIs directly from your AI coding assistant to catch regressions early. These integrations help ensure that LLM endpoints remain secure and that data leakage risks are identified before they reach production.