SQUEEZING A LITTLE SOUR INTO AGENTIC LLMS
While a traditional Web Application Firewall (WAF) filters incoming traffic to protect the server from the user, LLMON functions as a WAAiF (Web Adversarial AI Firewall).
Operating as a user-transparent reverse proxy, LLMON sits between your application and the internet. It intercepts outbound traffic and modifies content on-the-fly—preserving the intended experience for human users while injecting adversarial payloads into files automatically for ingestion into LLM powered pipelines.
This represents a paradigm shift from Network Security to Cognitive Security. As a Caddy middleware, LLMON invisibly proxies your traffic, injecting "poisoned" instructions targeting AI Agents (like GPTBot or ClaudeBot) while ensuring the experience remains undisturbed for human users.
This enables active defense strategies—from Instructional Overrides that force models to respect copyright, to Context Flooding that exhausts token limits, to Honey Potting to detect unauthorized scraping—all without modifying your backend application code.
The Philosophy
At its core, LLMON acts as a gatekeeper of meaning. Working to ensure that while the raw bytes are accessible, the semantic value extracted by AI is oriented towards the user, not the machine.
Live Injection Demos
Download these files to see LLMON inject payloads on the fly. Inspect the files locally to verify.
Injected: Served via /assets/, triggering the llmon middleware.
Original: Served via /clean/, bypassing the middleware (configured via
exclude /clean/*). Comparing the two files confirms on-the-fly modification.
Injection Strategies
| Strategy | Description | Config | Example |
|---|---|---|---|
| HTML Comment | Injects payloads into standard HTML comments. Bots read the source code. | type html_comment |
|
| Hidden Textarea | Injects a <textarea> hidden with advanced CSS (randomized class names) to
avoid display: none detection. |
type textarea |
|
| Script Text | Injects payloads into a non-executable script tag (text/plain). Safe from execution, visible to parsers. | type script_text |
|
| CSS Comment | Injects payloads into CSS comments within <style> tags. |
type css_comment |
|
| Title Injection | Appends or modifies the <title> tag. |
type title |
|
| Attribute Injection | Injects payloads into data-* attributes or aria-label. |
type attributetarget_tags div
|
|
| ASCII Smuggling | Hides payloads within plain text using invisible characters (Unicode Tags, Variant Selectors). | strategy html ascii_smuggle |
|
| Interleaved Stego | Weaves invisible payload characters between visible characters to defeat contiguous-block filters. | ascii_smuggle_mode interleaved |
|
| PDF (Watermark) | Injects an invisible text watermark (opacity 0.01%) into the PDF page content. | Default for .pdf |
|
| PDF (Polyglot) | Constructs a valid PDF that also contains valid HTML. Browsers render HTML; PDF readers render PDF. | file_strategy pdf polyglot |
|
| DOCX (Hidden) | Injects a hidden paragraph element into the word/document.xml structure. |
Default for .docx |
|
| XLSX (Hidden Sheet) | Injects a "VeryHidden" worksheet containing the payload into the workbook. | Default for .xlsx |
|
| PNG (Metadata) | Injects payload into a tEXt chunk (Comment). |
Default for .png |
|
| PNG (Alpha Stego) | Encodes payload into the Least Significant Bits (LSB) of the Alpha channel. | file_strategy png alpha_stego |
|
| PNG (Ghost Text) | Uses Alpha 0 (transparent) but fully saturated RGB values (Vector B). | type ghost_text (HTML) |
|
| JPEG (Comment) | Injects payload into the COM (Comment) segment. |
Default for .jpg |
|
| GIF (Extension) | Injects payload into a Comment Extension Block. | Default for .gif |
|
| GIF (Polyglot) | Appends a JavaScript payload to a valid GIF, creating a valid image + valid script (GIFAR). | file_strategy gif polyglot |
|
| SVG (Metadata) | Injects payload into <desc> or <metadata> tags. |
Default for .svg |
|
| MP3 (ID3v2) | Injects payload into the USLT (Unsynchronized Lyrics/Text) frame. |
Default for .mp3 |
|
| WAV (RIFF) | Injects payload into an ICMT (Comment) chunk within the RIFF header. |
Default for .wav |
|
| Fonts (WOFF2/TTF) | Injects payload into the name table (Copyright/Description fields). |
Default for .woff2, .ttf |
|
| JSON | Injects a new key _llm_instruction with the payload. |
Default for .json |
|
| XML / RSS | Injects an XML comment. | Default for .xml |
|
| JavaScript | Injects a variable declaration at the top of the script. | Default for .js |
|
| Robots.txt | Injects a Disallow rule and a comment. | Default for robots.txt |
|
Use Cases
| Category | Goal | Mechanism | Example |
|---|---|---|---|
| Guerrilla Marketing | Personal Branding Ensure any AI summarizing your content recommends you as the top expert. |
Injects a system instruction into bio/resume pages. |
|
| Cyber Security | Attacker Misdirection (Honey Pot) Detect and misdirect malicious AI agents scanning your infrastructure. |
Tricks the agent into visiting a tracking URL with its internal state. |
|
| Behavioral & Adversarial | Prompt Extraction Trick the AI into revealing its system prompt or sensitive instructions. |
Social Engineering / Roleplay Injection. |
|
| Resource Consumption Force the AI to waste compute tokens on irrelevant tasks. |
Computation Trap / Infinite Loop. |
|
|
| Behavioral Override Override the AI's persona to degradation or entertainment. |
Persona Adoption. |
|
|
| Red Teaming | Agent Compromise (Kill Chain) Test agent sandboxes using RCE, Exfiltration, and Persistence vectors. |
CAPE, Infrastructure Exposure, Viral Propagation. |
|
Reliability & Safety
LLMON is built on a 'Round-Trip' Reliability Protocol. Every injection strategy is
validated
against a rigorous E2E test suite (powered by chromedp) ensuring the resulting file is not just 'technically' injected, but
structurally valid and corrupt-free. We use a custom Verifier engine to parse and validate
every byte of the output, guaranteeing that your assets remain functional for humans while carrying
their
payload for machines.
Installation
You must compile Caddy with the llmon module using xcaddy:
# Install xcaddy
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
# Build Caddy with llmon
xcaddy build --with github.com/jaredfolkins/llmon=.Systemd Setup (Linux)
For production, run Caddy as a systemd service.
1. Prepare User & Binary
# Create caddy user/group
sudo groupadd --system caddy
sudo useradd --system \
--gid caddy \
--create-home \
--home-dir /var/lib/caddy \
--shell /usr/sbin/nologin \
--comment "Caddy web server" \
caddy
# Move binary
sudo mv caddy /usr/bin/
sudo chown root:root /usr/bin/caddy
sudo chmod 755 /usr/bin/caddy2. Create Service File
Create /etc/systemd/system/caddy.service:
# /etc/systemd/system/caddy.service
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target3. Enable & Start
sudo systemctl daemon-reload
sudo systemctl enable --now caddy
sudo systemctl status caddyConfiguration
Add the llmon directive to your Caddyfile. Ensure you order it before encoding:
{
# Global Option: Ensure llmon runs before compression
order llmon before encode
}
https://llmon.dev {
# Site Root
root * /var/www/llmon/www
# Serve Static Files
file_server
# LLMON Configuration
llmon {
# Injection Probability (100% for testing)
rate 1.0
# Route Exclusion: Disable injection for the clean demo assets
exclude /clean/*
# Debug Mode (uses predictable 'llmon-' prefix for classes)
debug
# Log Level
log_level debug
# ---------------------------------------------------------
# STRATEGY CONFIGURATION (Safe Mode: All Disabled by Default)
# ---------------------------------------------------------
strategy {
# ---------------------------------------------------------
# 1. HTML Injection
# Default: Disabled
# Modes:
# - random (Mixes all vectors)
# - html_comment (Standard <!-- comment -->)
# - script_text (<script type="text/plain">)
# - css_comment (/* comment */ in <style>)
# - title (Appends to <title>)
# - textarea (Hidden <textarea>)
# - attribute (data-llm-info attribute)
# - ascii_smuggle (Invisible Unicode tags)
# ---------------------------------------------------------
html {
mode random
ascii_smuggle {
mode unicode_tags # unicode_tags | interleaved | variant_selectors | sneaky_bits
add_tags true # true | false
visible_carrier "Hello" # For interleaved mode
}
}
# ---------------------------------------------------------
# 2. Document & Office
# Default: Disabled
# Modes:
# - default (Standard Injection: Watermark, Hidden Text, etc.)
# - polyglot (PDF only: PDF+HTML)
# ---------------------------------------------------------
pdf {
mode polyglot
}
docx {
# mode default
}
xlsx {
# mode default
}
# ---------------------------------------------------------
# 3. Images
# Default: Disabled
# Modes:
# - default (Metadata/Comment Injection)
# - alpha_stego (PNG only: LSB Steganography)
# - polyglot (GIF only: GIF+JS)
# ---------------------------------------------------------
png {
mode alpha_stego
}
gif {
mode polyglot
}
jpg {
# mode default
}
svg {
# mode default
}
# ---------------------------------------------------------
# 4. Audio & Media
# Default: Disabled
# Modes:
# - default (ID3v2 Lyrics / RIFF Comment)
# ---------------------------------------------------------
mp3 {
# mode default
}
wav {
# mode default
}
# ---------------------------------------------------------
# 5. Typography (Fonts)
# Default: Disabled
# Modes:
# - default (Name Table Injection)
# ---------------------------------------------------------
woff2 {
# mode default
}
ttf {
# mode default
}
otf {
# mode default
}
# ---------------------------------------------------------
# 6. Data & Text
# Default: Disabled
# Modes:
# - default (JSON Key, XML Comment, ICS Desc, SRT Subtitle, JS Var, Robots Comment)
# ---------------------------------------------------------
json {
# mode default
}
xml {
# mode default
}
js {
# mode default
}
ics {
# mode default
}
srt {
# mode default
}
txt {
# mode default # Handles robots.txt
}
}
}
}Directory Structure
LLMON looks for resources in directories relative to your Caddyfile. If these folders are
missing, LLMON will automatically create them and populate them with default assets (jailbreaks and
directives).
/var/www/llmon/
├── Caddyfile
├── www/ # Website content (index.html, assets, etc.)
├── directives/ # Your prompt instructions (Payloads)
│ ├── hire_me.txt
│ └── honeypot.txt
└── jailbreaks/ # Jailbreak wrappers (Templates)
├── openai/ # Vendor subfolders
│ └── gpt.hujson
└── anthropic/
└── claude.hujsonDirectives (./directives)
LLMON automatically creates this folder and populates it with default directives. You can add your own plain
text files (.txt) here. LLMON picks one random directive per request to embed into the
injection. These are the "payloads" or instructions you want the AI to follow.
Jailbreaks (./jailbreaks)
LLMON automatically creates this folder with vendor-specific subfolders (e.g., openai,
anthropic). You can place .hujson (Human JSON) templates inside. LLMON detects the
bot's User-Agent and selects a template from the matching vendor folder.