# Threat Coverage

Highflame Browser Security detects and enforces policy across six threat categories. All detection runs locally in the browser — no request content leaves the device until a violation is recorded.

***

## Prompt injection

Detects attempts to manipulate AI models through crafted prompts. Applies to traffic sent to ChatGPT, Claude, Gemini, Copilot, Perplexity, Meta AI, and any other AI platform you configure.

| Pattern                          | Examples                                                                                |
| -------------------------------- | --------------------------------------------------------------------------------------- |
| **Jailbreak**                    | "DAN", "do anything now", "god mode", "developer mode"                                  |
| **Role hijacking**               | "act as", "pretend you are", "you are now", "your new persona"                          |
| **Instruction override**         | "ignore previous instructions", "disregard the above", "forget everything"              |
| **System prompt leak**           | "repeat your system prompt", "what are your hidden instructions", "reveal your context" |
| **Instruction bypass**           | "ignore your safety guidelines", "override your restrictions"                           |
| **Data exfiltration via prompt** | "send this to \[email]", "exfiltrate the following", "forward to"                       |
| **Malicious intent**             | "create malware", "write an exploit", "help me hack"                                    |

The kernel extracts the prompt text from each AI platform's native request format before evaluating — ChatGPT JSON, Gemini protobuf, and Copilot SignalR are all parsed correctly.

***

## Data exfiltration

Detects sensitive data patterns in outbound network requests (fetch, XHR, WebSocket) destined for external domains.

| Data type                         | Detection method                                                              |
| --------------------------------- | ----------------------------------------------------------------------------- |
| **PII — Email addresses**         | RFC 5322 pattern matching                                                     |
| **PII — Social Security Numbers** | XXX-XX-XXXX format                                                            |
| **PII — Credit card numbers**     | 16-digit card number patterns                                                 |
| **JWTs and bearer tokens**        | `eyJ...eyJ...` signature format                                               |
| **API keys and secrets**          | `password`, `token`, `secret`, `apikey`, `api_key` patterns in request bodies |

Detection applies to the request URL, headers, and body. Internal domain traffic is excluded — only requests to domains outside your configured allowlist are checked.

***

## Token theft

A specialized exfiltration check focused specifically on bearer tokens and JWTs. When a JWT is detected in a request to an external domain that is not the token's intended issuer, the request is blocked and the violation is recorded.

This protects against XSS-based token extraction and malicious scripts that attempt to forward session credentials to attacker-controlled infrastructure.

***

## Sensitive file uploads

Inspects file uploads to AI platforms for regulated or sensitive content before the upload is allowed. When a file contains PII patterns or matches your configured keyword lists, the upload is blocked.

Applies to `<input type="file">` and drag-and-drop uploads on monitored AI platform URLs.

***

## Clipboard attacks

Monitors paste events on AI platform pages. When pasted content matches prompt injection patterns or contains sensitive data, the paste is blocked and the user sees an inline notification explaining why.

This addresses attacks where users are tricked into pasting adversarial content (from a phishing email, web page, or document) directly into an AI chat.

***

## XSS and script injection

Monitors `innerHTML` assignments and `eval()` calls for malicious patterns.

| Pattern                 | Detection                                                                       |
| ----------------------- | ------------------------------------------------------------------------------- |
| **Script injection**    | `<script>`, `javascript:` URIs, event handler injection (`onerror=`, `onload=`) |
| **Iframe injection**    | `<iframe>` tags with suspicious `src` attributes                                |
| **Eval abuse**          | Direct `eval()` calls with non-trivial content                                  |
| **Prototype pollution** | `__proto__`, `constructor.prototype` in request bodies                          |

***

## Storage protection

Blocks writes to `localStorage` and `sessionStorage` for keys that match sensitive patterns: `password`, `token`, `secret`, `apikey`, `api_key`. Word-boundary matching is used to avoid false positives on keys like `access_token_expiry`.

***

## Enforcement modes

Each threat category can be independently configured per policy:

| Mode        | Behavior                                                                                               |
| ----------- | ------------------------------------------------------------------------------------------------------ |
| **Block**   | The operation is cancelled. The user sees an inline notification. The violation is recorded in Studio. |
| **Monitor** | The operation proceeds. The detection is recorded silently in Studio for review. No user notification. |
| **Allow**   | No enforcement. Use during initial rollout to establish a baseline before enabling blocking.           |

See [Policies](/browser-security/policies.md) to configure enforcement modes per category.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.highflame.ai/browser-security/threat-coverage.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.