Forem: Shuja The latest articles on Forem by Shuja (@shujasn). https://forem.com/shujasn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3861533%2F2556670c-70bc-4340-9671-09657b32252e.jpg Forem: Shuja https://forem.com/shujasn en I Built an Open-Source Security Middleware for LLMs, Here's How It Works Shuja Tue, 07 Apr 2026 12:00:00 +0000 https://forem.com/shujasn/i-built-an-open-source-security-middleware-for-llms-heres-how-it-works-1k94 https://forem.com/shujasn/i-built-an-open-source-security-middleware-for-llms-heres-how-it-works-1k94 <p>Most AI apps connect directly to OpenAI with zero middleware.</p> <p>No PII filtering. No injection defense. No spend caps. User input goes straight to a third-party API, emails, phone numbers, API keys, all of it.</p> <p>I built <a href="https://github.com/ShujaSN/shieldstack-ts" rel="noopener noreferrer">ShieldStack TS</a> to fix this. It's a TypeScript middleware layer that sits between your app and any LLM provider, intercepting every request and response with sub-2ms overhead.</p> <p>In this article, I'll walk through the architecture, show the code, and explain the trade-offs I made.</p> <h2> What It Does </h2> <p>ShieldStack runs as a pipeline. Every prompt passes through 4 checks before reaching the LLM:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User Prompt ↓ ① Token Budget Check (&lt;0.1ms) ② Injection Detection (&lt;0.5ms) ③ Secrets Scanning (&lt;0.5ms) ④ PII Redaction (&lt;1ms) ↓ Clean Prompt → LLM </code></pre> </div> <p>On the way back, streaming responses pass through a <code>TransformStream</code> that sanitizes PII and secrets chunk-by-chunk in real-time.</p> <h2> Quick Setup </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>shieldstack-ts </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ShieldStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">shieldstack-ts</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">shield</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ShieldStack</span><span class="p">({</span> <span class="na">pii</span><span class="p">:</span> <span class="p">{</span> <span class="na">policy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">redact</span><span class="dl">'</span><span class="p">,</span> <span class="na">emails</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">creditCards</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">phoneNumbers</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">injectionDetection</span><span class="p">:</span> <span class="p">{</span> <span class="na">threshold</span><span class="p">:</span> <span class="mf">0.8</span><span class="p">,</span> <span class="p">},</span> <span class="na">tokenLimiter</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxTokens</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">3600000</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">safePrompt</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">shield</span><span class="p">.</span><span class="nf">evaluateRequest</span><span class="p">(</span> <span class="nx">userInput</span><span class="p">,</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">tokenEstimate</span> <span class="p">);</span> <span class="c1">// safePrompt is clean — send it to your LLM</span> </code></pre> </div> <h2> The Architecture: Why Order Matters </h2> <p>The pipeline order isn't random. It's sorted by cost:</p> <p><strong>Budget check runs first</strong> because it's a single Map lookup. If a user is over their limit, why waste CPU on regex? Block them in 0.1ms and move on.</p> <p><strong>Injection detection runs second</strong> because if someone is trying to jailbreak your system, you don't want to spend time redacting their PII. Just block them.</p> <p><strong>Secrets and PII run last</strong> because regex engines are the most expensive operations in the pipeline. By this point, we know the request is legitimate and within budget.</p> <p>This is a general principle for middleware design: <strong>cheapest checks first, most expensive last.</strong></p> <h2> Real-Time Stream Sanitization </h2> <p>This was the hardest problem to solve.</p> <p>When an LLM streams a response, it sends chunks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Chunk 1: "The customer email is user@exa" Chunk 2: "mple.com and their phone..." </code></pre> </div> <p>If you scan each chunk independently, <code>user@exa</code> doesn't match any email regex. The PII slips through.</p> <p>Most solutions buffer the entire response and scan at the end. That kills the streaming UX.</p> <p>My approach uses the Web Streams API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">createStream</span><span class="p">():</span> <span class="nx">TransformStream</span><span class="o">&lt;</span><span class="nb">Uint8Array</span><span class="p">,</span> <span class="nb">Uint8Array</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pii</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">piiRedactor</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">secrets</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">secretsDetector</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">decoder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextDecoder</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">encoder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">();</span> <span class="kd">let</span> <span class="nx">buf</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">TransformStream</span><span class="p">({</span> <span class="nf">transform</span><span class="p">(</span><span class="nx">chunk</span><span class="p">,</span> <span class="nx">controller</span><span class="p">)</span> <span class="p">{</span> <span class="nx">buf</span> <span class="o">+=</span> <span class="nx">decoder</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="nx">chunk</span><span class="p">,</span> <span class="p">{</span> <span class="na">stream</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">let</span> <span class="p">{</span> <span class="nx">redactedText</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">pii</span><span class="p">.</span><span class="nf">redact</span><span class="p">(</span><span class="nx">buf</span><span class="p">);</span> <span class="p">({</span> <span class="nx">redactedText</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">secrets</span><span class="p">.</span><span class="nf">redact</span><span class="p">(</span><span class="nx">redactedText</span><span class="p">));</span> <span class="nx">buf</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">controller</span><span class="p">.</span><span class="nf">enqueue</span><span class="p">(</span><span class="nx">encoder</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="nx">redactedText</span><span class="p">));</span> <span class="p">},</span> <span class="nf">flush</span><span class="p">(</span><span class="nx">controller</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tail</span> <span class="o">=</span> <span class="nx">decoder</span><span class="p">.</span><span class="nf">decode</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">tail</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">let</span> <span class="p">{</span> <span class="nx">redactedText</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">pii</span><span class="p">.</span><span class="nf">redact</span><span class="p">(</span><span class="nx">tail</span><span class="p">);</span> <span class="p">({</span> <span class="nx">redactedText</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">secrets</span><span class="p">.</span><span class="nf">redact</span><span class="p">(</span><span class="nx">redactedText</span><span class="p">));</span> <span class="nx">controller</span><span class="p">.</span><span class="nf">enqueue</span><span class="p">(</span><span class="nx">encoder</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="nx">redactedText</span><span class="p">));</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><code>TransformStream&lt;Uint8Array, Uint8Array&gt;</code> works natively on Node.js, Bun, and Cloudflare Workers. Zero platform-specific code.</p> <h2> Denial-of-Wallet Prevention </h2> <p>A startup got a $47,000 OpenAI bill in one weekend. One user wrote a script that hit their <code>/chat</code> endpoint in a loop. No rate limiting. No token caps.</p> <p>ShieldStack prevents this with per-user token budgets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">shield</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ShieldStack</span><span class="p">({</span> <span class="na">tokenLimiter</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxTokens</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">3600000</span><span class="p">,</span> <span class="c1">// 1 hour</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>The limiter uses an async sliding-window token bucket. Each request checks the budget before anything else, if you're over, you get a 403 in under 0.1ms.</p> <p>For multi-server deployments, plug in Redis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">RedisStore</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">shieldstack-ts</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">shield</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ShieldStack</span><span class="p">({</span> <span class="na">tokenLimiter</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxTokens</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">3600000</span><span class="p">,</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">(</span><span class="nx">redisClient</span><span class="p">),</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>The Redis adapter uses duck typing, any client that implements <code>get()</code>, <code>set()</code>, and <code>del()</code> works. No forced peer dependencies. ioredis, Upstash, node-redis all work out of the box.</p> <h2> Framework Adapters </h2> <p>The core is a pure TypeScript class. It never imports a framework. Thin adapters wrap it:</p> <p><strong>Express:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">expressShield</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">shieldstack-ts</span><span class="dl">'</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/chat</span><span class="dl">'</span><span class="p">,</span> <span class="nf">expressShield</span><span class="p">(</span><span class="nx">shield</span><span class="p">),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// req.body is already sanitized</span> <span class="p">});</span> </code></pre> </div> <p><strong>Next.js App Router:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">withShield</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">shieldstack-ts</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">withShield</span><span class="p">(</span><span class="nx">shield</span><span class="p">,</span> <span class="nx">chatHandler</span><span class="p">);</span> </code></pre> </div> <p><strong>Hono (Cloudflare Workers):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">honoShield</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">shieldstack-ts</span><span class="dl">'</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/chat</span><span class="dl">'</span><span class="p">,</span> <span class="nf">honoShield</span><span class="p">(</span><span class="nx">shield</span><span class="p">));</span> </code></pre> </div> <h2> Trade-Offs I Made </h2> <p><strong>Heuristic scoring over ML for injection detection.</strong> A weighted regex system detects jailbreak attempts in under 0.5ms. No model loading, no ONNX runtime, no cold starts. An ML classifier is on the roadmap, but for v0.1, I wanted zero overhead and zero dependencies.</p> <p><strong>Duck-typed Redis over hard dependency.</strong> The <code>GenericRedisClient</code> interface is 3 methods. This means no version conflicts, no bundle bloat, and edge compatibility (Upstash works on Workers, ioredis works on Node).</p> <p><strong>Web Standards over Node.js APIs.</strong> <code>TransformStream</code> instead of Node.js <code>Transform</code>. This sacrifices some Node-specific optimizations but gains universal runtime support without polyfills.</p> <h2> Performance </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Operation</th> <th>Overhead</th> </tr> </thead> <tbody> <tr> <td>Token limit check (in-memory)</td> <td>&lt; 0.1ms</td> </tr> <tr> <td>Token limit check (Redis)</td> <td>1–3ms</td> </tr> <tr> <td>Injection detection</td> <td>&lt; 0.5ms</td> </tr> <tr> <td>PII redaction</td> <td>&lt; 1ms</td> </tr> <tr> <td>Stream sanitization per chunk</td> <td>&lt; 0.2ms</td> </tr> <tr> <td><strong>Total end-to-end</strong></td> <td><strong>&lt; 2ms</strong></td> </tr> </tbody> </table></div> <p>LLM calls take 500ms–5s. ShieldStack adds less than 0.4% overhead.</p> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/ShujaSN/shieldstack-ts.git <span class="nb">cd </span>shieldstack-ts npm <span class="nb">install </span>npm run <span class="nb">test</span> </code></pre> </div> <p>Run the demo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>examples/demo npm <span class="nb">install </span>npm run dev </code></pre> </div> <p>Send a prompt with a fake email, watch <code>[REDACTED_EMAIL]</code> appear in the stream. Try "Ignore previous instructions" , watch it get blocked.</p> <p>The repo is MIT licensed. If you're building AI features and want a drop-in security layer, give it a try.</p> <p><a href="https://github.com/ShujaSN/shieldstack-ts" rel="noopener noreferrer">GitHub: ShieldStack TS</a></p> <p>If you have questions about the architecture or want to contribute, open an issue or drop a comment below.</p> typescript security opensource ai