Lesson
Protect Secrets from Being Read by Claude Code
Apply least-privilege defaults, deny reads of sensitive files like `.env`, and verify that the guardrails hold.
- Access
- Included
- Transcript
- Needs source
Protecting secrets in Claude Code starts with permissions. Lock the workspace down with explicit deny rules.
The risk
# .env
MY_SECRET="I love peanut butter"
Deny with /permissions
-
Open the permissions manager:
/permissions -
Add a Deny rule for the project:
Read(./.env) -
Save to Project settings (local), which writes
.claude/settings.local.json:
{
"permissions": {
"allow": [],
"deny": ["Read(./.env)"],
"ask": []
}
}
Verify the guardrail
Prompt:
Please read the .env file.
Expected result: the system blocks the read and reports permission denied.