Privacy

Client-Side Redaction, Explained (and Why It Beats a Proxy)

A slow walk through the three architectures for prompt PII redaction — server proxy, browser extension, in-page tool — and why the in-page tool is the one that survives contact with real users.

PromptShielder Security Team· Applied cryptography & privacy engineering May 6, 2025 8 min read

Three architectures

1. Server-side reverse proxy

Employees are routed through a company gateway that MITMs LLM traffic, extracts PII, replaces it with tokens, forwards the redacted request, then rewrites the response on the way back. Powerful in principle. In practice it needs TLS interception on every device, it does not touch mobile or personal-account traffic, and it becomes a single high-value target.

2. Browser extension

A managed extension observes prompt textareas and intercepts on send. Better coverage than a proxy for personal accounts, worse coverage than a proxy for API calls. Depends on the browser's extension model — which is tightening — and on the extension having read-access to the page contents, which is itself a data-flow concern.

3. In-page redaction tool

A separate tab the user pastes into. Redacts locally. User copies the redacted text into ChatGPT. Pastes the response back, gets the restored text. Zero server component. Zero device management requirement. The user retains agency, which is what actually drives adoption.

Why local wins on incident recovery

Assume the tool has a bug. Server proxy: rewind traffic, notify every affected user, potentially notify every affected data subject. Extension: same, plus device inventory. In-page tool: nothing leaves the tab; the incident surface is one user's session.

What in-page redaction cannot do

It cannot enforce. It relies on the user actually using it. Pair it with a short, concrete acceptable-use policy and it works. Deploy it as the only control and you will miss the users who don't paste it in.

Frequently asked

Can I audit an in-page tool?+

Yes — export the entity list per session, keep the mapping in an internal secure vault if you need it, or forbid export entirely. The tool should support both modes.

Is a local WASM model better than regex?+

For pure detection quality, yes. For latency, adoption and battery life, well-tuned regex plus contextual rules beat a 100 MB WASM download in real workflows.

Sources
PrivacyTechnical
Try PromptShielder

Redact prompts before they leave your browser.

Free to try. Nothing is sent to a server. Ever.