ChatGPT Lockdown Mode Limits Web Access to Reduce Prompt Injection Data Theft Risks
8 min. read 
Published on
OpenAI has made ChatGPT Lockdown Mode available more broadly as an optional security setting for users and workspaces that want stronger protection against prompt injection-based data exfiltration.
The feature limits how ChatGPT can connect to the web and external services. According to OpenAI’s ChatGPT release notes, Lockdown Mode is now available to logged-in users across account types and workspaces.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
OpenAI says the setting reduces the risk that malicious instructions hidden in webpages, files, or other content could trick ChatGPT into sending sensitive information to an attacker-controlled destination. It does not stop prompt injections from appearing in content, but it reduces one of the most important follow-up risks: outbound data transfer.
What ChatGPT Lockdown Mode does
The Lockdown Mode help page describes the feature as an advanced security control that limits tools and capabilities that can connect to the web or external services.
When the mode is active, ChatGPT restricts live web browsing, Deep Research, agent mode, file downloads for data analysis, Canvas networking, and some web-derived image support. Users can still upload files manually, and image generation remains available where the account already supports it.
OpenAI says Lockdown Mode is aimed at people and organizations that handle sensitive information and want a more conservative ChatGPT experience. It is not meant for every user, since it disables or limits features that many people rely on for research, automation, and live information lookup.
| Capability | What changes in Lockdown Mode |
|---|---|
| Live web browsing | Limited to cached or indexed content, so results may be stale, limited, or unavailable |
| Deep Research | Disabled |
| Agent mode | Disabled |
| Canvas networking | Users cannot approve Canvas-generated code to access the network |
| File downloads | ChatGPT cannot download external files for data analysis |
| Web-derived images | Some image retrieval and display behavior is limited |
Why prompt injection is the main concern
Prompt injection is a security problem where malicious instructions get placed inside content that an AI system reads. This could include a webpage, a document, a message, or another connected source.
In its Lockdown Mode announcement, OpenAI said prompt injection becomes more important as AI systems handle more complex tasks that involve the web and connected apps.
The risk is not limited to wrong answers. If an AI tool can browse the web, call apps, download files, or write to connected systems, a malicious instruction may try to make it move private data outside the user’s trusted environment.
- Lockdown Mode focuses on reducing outbound exfiltration paths.
- It does not remove all prompt injection risk.
- It can limit useful features, especially for real-time research and agentic work.
- It gives higher-risk users a stricter security posture when working with sensitive data.
OpenAI says the feature is now generally available
OpenAI listed Lockdown Mode as generally available on June 4, 2026, in its ChatGPT release notes. The company says personal users can enable it from Settings > Security, while workspace admins can configure access through workspace settings and role-based access controls.
The Help Center says Lockdown Mode is available for all account types and workspaces, but it also notes that users must be logged in and that some users may not see it immediately while rollout continues.
For personal and self-serve ChatGPT Business accounts, users can turn it on from Settings, then Security, then Advanced security. OpenAI also lets users disable Lockdown Mode for a specific chat from the Lockdown status message above the composer.
What still works in Lockdown Mode
Lockdown Mode does not change every ChatGPT setting. OpenAI says memory, file uploads, conversation sharing, and model training controls remain separate settings.
That distinction matters for privacy and compliance. Turning on Lockdown Mode does not automatically change whether conversations may be used to improve models. Users and admins still need to manage data controls separately.
OpenAI also says Lockdown Mode does not affect Codex network access. It also cannot run at the same time as Developer Mode. Turning on Lockdown Mode turns off Developer Mode, and turning on Developer Mode later turns off Lockdown Mode.
| Setting or feature | Changed by Lockdown Mode? |
|---|---|
| Memory | No, it remains separately configurable |
| Manual file uploads | No, users can still upload files |
| Conversation sharing | No, sharing remains separately controlled |
| Training and data controls | No, these settings remain separate |
| Codex network access | No, Lockdown Mode does not affect Codex |
How Lockdown Mode affects apps and connectors
Apps and connectors behave differently depending on the account type. For personal accounts and self-serve ChatGPT Business accounts, Lockdown Mode allows connectors that use synced data, but blocks live connector access and connector write actions.
For managed workspaces, OpenAI says Lockdown Mode does not automatically disable every app, connector, or MCP. Admins must review app access, allowed actions, trusted apps, and role assignments before treating the setup as protected.
OpenAI’s RBAC documentation says workspaces with Lockdown Mode role support can create a custom role for members who need it. The company describes Lockdown Mode as a role-level security configuration rather than a single permission toggle.
Offline web search can be part of stricter workspace controls
Some workspaces can use offline web search as part of a Lockdown Mode configuration. OpenAI’s offline web search documentation says this uses OpenAI’s indexed and cached web content instead of live external web access at request time.
This can reduce the chance that live search queries are sent to an external provider while still allowing some web-based answers. However, OpenAI warns that cached content can be incomplete, unavailable, or older than the live version.
That makes the feature better suited for stable research than for urgent news, price checks, breaking security advisories, or tasks that require guaranteed real-time freshness.
- Offline web search may miss new or rarely indexed pages.
- Some URLs may not be available in the cache.
- Dynamic, login-gated, or personalized content may not work well.
- Admins should confirm whether offline search applies by role, workspace, or both.
Admins need to review app risk carefully
OpenAI groups app and connector behavior by risk level in Lockdown Mode environments. Read and write actions for untrusted apps are not recommended, and write actions for trusted apps can still create risk if the resulting side effects are visible to untrusted parties.
The role-based access guidance tells admins to review which apps and actions a Lockdown Mode role allows before assigning it to users or groups. App access in ChatGPT also does not override permissions in the connected source system.
In practice, this means enterprise protection depends on configuration. Lockdown Mode can reduce data exfiltration paths, but admins still need to control which connected tools users can read from, write to, or call during a conversation.
Lockdown Mode is useful, but not a complete prompt injection fix
OpenAI says Lockdown Mode can substantially reduce the risk of prompt injection-based data exfiltration, but it does not guarantee that data exfiltration cannot happen.
The OpenAI announcement frames the setting as part of a broader defense-in-depth strategy that also includes sandboxing, protections against URL-based exfiltration, monitoring, enforcement, role-based access, and audit logs.
Users should also understand what the feature does not solve. A malicious instruction hidden in an uploaded file or cached webpage could still affect ChatGPT’s behavior and produce an incorrect or manipulated answer, even if Lockdown Mode blocks the final network exfiltration route.
What users and teams should do now
Personal users who handle confidential information should consider enabling Lockdown Mode before working with sensitive files, private research, internal notes, or connected data.
Business and enterprise admins should identify which users face higher security risk, such as executives, finance teams, legal teams, security staff, and employees with access to confidential repositories or customer records.
Admins should also review OpenAI’s offline search guidance if they want to reduce live web access while keeping some web search capability available for approved users.
| User type | Recommended action |
|---|---|
| Personal users | Turn on Lockdown Mode from Settings > Security when working with sensitive data |
| Self-serve Business users | Use Lockdown Mode for high-risk chats and review connected app access |
| Workspace admins | Create Lockdown Mode roles and assign them to higher-risk users or groups |
| Security teams | Audit app access, connector permissions, and logs for sensitive workflows |
Lockdown Mode gives ChatGPT users a stricter way to work with sensitive information, but it works best as part of a broader security setup. Users still need careful source review, strong account controls, trusted connectors, and clear rules for handling confidential data.
FAQ
ChatGPT Lockdown Mode is an optional advanced security setting that limits ChatGPT’s access to the web and external services. It is designed to reduce the risk of prompt injection-based data exfiltration.
No. Lockdown Mode does not stop malicious instructions from appearing in webpages, files, or other content that ChatGPT processes. It mainly reduces the risk that those instructions can cause sensitive data to leave through outbound network requests.
Lockdown Mode limits or disables live web browsing, Deep Research, agent mode, Canvas networking, file downloads for data analysis, and some web-derived image support. Manually uploaded files can still be used.
Lockdown Mode is most useful for users and organizations that handle sensitive data, including executives, security teams, legal teams, finance teams, and employees who work with confidential documents or connected company data.
No. OpenAI says Lockdown Mode does not change memory, file uploads, conversation sharing, or whether conversations may be used to improve models. Those settings remain separately configurable.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages