Really like the content negotiation approach. Serving clean markdown via Accept headers has a nice security side benefit too.
agents that receive structured markdown don't need to parse raw HTML, which is exactly where indirect prompt injection payloads hide.
Unit42's March 2026 research found 22+ techniques used in the wild to embed hidden instructions in HTML — zero-font CSS, invisible divs, dynamic JS injection. If more sites adopted this pattern and agents preferred the markdown path, a whole class of web-based IDPI attacks would be bypassed by design.
Great writeup. Attackers are also "optimizing content for agents" — just with malicious intent.
Unit42 published research in March 2026 confirming websites in the wild embedding hidden instructions specifically targeting AI agents.
Techniques include zero-font CSS text, invisible divs, and JS dynamic injection. One site had 24 layered injection attempts.
The same properties that make content agent-friendly (structured, parseable, in the DOM) also make it a perfect delivery mechanism for indirect prompt injection.
This is a really important area to tackle.
secret management for AI agents is something most teams are ignoring right now.
One adjacent risk worth noting: the URLs these agents visit during research.
Even with proper secret management, if an agent browses a poisoned page during research, the injected instructions could override its behavior before secrets ever come into play.
Interesting approach. This made me think about layering URL-level
reputation checks alongside prompt-level scanning. Unit42's March 2026
research found 11 domains actively hosting hidden IDPI payloads in the
wild — things like zero-font CSS instructions and JS-injected fork bombs.
A pre-browse check against known hostile domains could complement
prompt-level detection nicely, catching threats before content even
reaches the proxy.
Unit42's March 2026 research found 22+ techniques used in the wild to embed hidden instructions in HTML — zero-font CSS, invisible divs, dynamic JS injection. If more sites adopted this pattern and agents preferred the markdown path, a whole class of web-based IDPI attacks would be bypassed by design.