OWASP Top 10 for LLM applications

---
template: true
about: The OWASP Top 10 for Large Language Model (LLM) Applications. Use this checklist to review systems that send prompts to or build on top of LLMs.
---

# OWASP Top 10 for LLM applications

## LLM01 Prompt injection

- [ ] Treat all user, document, tool, and retrieval content as untrusted input
- [ ] Separate system instructions from user content with clear, enforced boundaries
- [ ] Constrain model output with response schemas or function-calling contracts
- [ ] Filter or sanitize retrieved content before placing it in the prompt
- [ ] Require human approval for high-impact actions triggered by model output
- [ ] Test the system against indirect prompt injection from documents, web pages, and tool results

## LLM02 Insecure output handling

- [ ] Never pass model output directly to a shell, SQL query, or `eval`
- [ ] Encode model output for the relevant context (HTML, Markdown, SQL, shell)
- [ ] Validate URLs and links generated by the model against an allow-list
- [ ] Render model output in a sandboxed view when displayed to users
- [ ] Treat model-generated code as untrusted before executing it

## LLM03 Training data poisoning

- [ ] Verify the provenance of training, fine-tuning, and embedding data
- [ ] Pin and checksum third-party datasets and base models
- [ ] Detect outliers and adversarial samples in training data
- [ ] Restrict who can submit data to fine-tuning pipelines
- [ ] Re-evaluate models on a held-out, trusted benchmark after each training run

## LLM04 Model denial of service

- [ ] Apply per-user, per-IP, and per-key rate limits to LLM endpoints
- [ ] Cap input length, context window, and tool-call depth
- [ ] Set hard timeouts and token budgets per request
- [ ] Monitor cost and latency metrics with alerts on anomalies
- [ ] Reject recursive or self-referencing tool-call patterns

## LLM05 Supply chain vulnerabilities

- [ ] Inventory all models, plugins, and dependencies (SBOM)
- [ ] Pull models and weights only from trusted, signed sources
- [ ] Pin model versions instead of using floating tags
- [ ] Scan model files for malicious code (e.g., pickle deserialization)
- [ ] Review the security posture of model and plugin vendors

## LLM06 Sensitive information disclosure

- [ ] Strip or tokenize secrets, PII, and credentials from prompts and logs
- [ ] Filter model output for sensitive patterns before returning to users
- [ ] Do not include cross-tenant data in shared prompts or contexts
- [ ] Avoid fine-tuning on raw production data that contains user secrets
- [ ] Communicate to users what is sent to third-party model providers

## LLM07 Insecure plugin design

- [ ] Validate and type-check every plugin/tool input
- [ ] Run plugins with the least privilege required (no broad credentials)
- [ ] Require explicit user consent for sensitive plugin actions
- [ ] Authenticate plugin calls and authorize them per user
- [ ] Log all plugin invocations with inputs, outputs, and outcome

## LLM08 Excessive agency

- [ ] Limit the set of tools an agent can call to the minimum required
- [ ] Scope tool credentials to a single user, tenant, and resource
- [ ] Require human-in-the-loop approval for irreversible actions
- [ ] Set an upper bound on autonomous reasoning steps and tool calls
- [ ] Maintain an audit trail of every action taken by the agent

## LLM09 Overreliance

- [ ] Communicate model uncertainty and limitations in the UI
- [ ] Cite sources used for retrieval-augmented answers
- [ ] Cross-check critical model output against deterministic systems
- [ ] Provide a way for users to flag and report incorrect output
- [ ] Avoid using LLM output as the sole basis for high-impact decisions

## LLM10 Model theft

- [ ] Restrict access to model weights, fine-tunes, and adapters
- [ ] Watermark or fingerprint proprietary model output where possible
- [ ] Rate-limit and monitor for query patterns that suggest extraction
- [ ] Detect and block automated scraping of the model API
- [ ] Encrypt model artifacts at rest and in transit