Skip to main content

What You’ll Accomplish

Guardrails let you block dangerous queries before they execute. You can:
  • Prevent accidental UPDATE or DELETE without a WHERE clause
  • Block DROP TABLE and other destructive DDL commands
  • Enforce read-only access for specific user groups
  • Require LIMIT clauses on large tables
  • Block queries that access sensitive columns

The Problem Guardrails Solve

Without guardrails, one typo can destroy production data: 
-- Intended: Update one user's email
UPDATE users SET email = 'new@email.com' WHERE id = 123;

-- Accidental: Update ALL users (forgot WHERE clause)
UPDATE users SET email = 'new@email.com';
-- 500,000 rows affected 💥
Guardrails catch these mistakes before they execute, showing an error instead of running the dangerous query.

How Guardrails Work

1

Query Submitted

User runs a query through Hoop (CLI, Web App, or API)
2

Rules Evaluated

Each guardrail rule is checked against the query using pattern matching
3

Decision Made

If a rule matches: block, warn, or require approval based on configuration
4

Result Returned

User sees either the query result or an error explaining which rule was violated

Rule Types

TypeDescriptionUse Case
Input RulesEvaluate the query before executionBlock dangerous commands
Output RulesEvaluate results after executionRedact sensitive data in output

Guardrails vs Other Features

FeaturePurposeWhen to Use
GuardrailsBlock queries based on patternsPrevent dangerous operations
Live Data MaskingRedact sensitive data in outputProtect PII in query results
Access RequestsRequire approval for accessTime-limited or command-level approval
Access ControlControl who can access resource rolesRestrict resource role visibility
These features work together. For example:
  • Guardrails block DROP TABLE commands
  • Live Data Masking redacts SSN in SELECT results
  • Access Requests require approval before connecting
  • Access Control limits who sees the resource role
Ready to set it up? The Guardrails configuration guide covers prerequisites, creating rules, pattern syntax, actions, recipes, testing, and troubleshooting.

Next Steps

Guardrails Configuration

Detailed configuration options and rule syntax

Live Data Masking

Automatically redact sensitive data in query results

Access Requests

Require approval for access to sensitive resource roles

Session Recording

Audit all query executions including blocked queries