Claude Code Essentials
Protect Secrets from Being Read by Claude Code
Social Share Links
Protecting secrets in Claude Code starts with permissions. Lock the workspace down with explicit deny rules.
The risk
# .env
MY_SECRET="I love peanut butter"
Deny with /permissions
-
Open the permissions manager:
/permissions -
Add a Deny rule for the project:
Read(./.env) -
Save to Project settings (local), which writes
.claude/settings.local.json:
{
"permissions": {
"allow": [],
"deny": ["Read(./.env)"],
"ask": []
}
}
Verify the guardrail
Prompt:
Please read the .env file.
Expected result: the system blocks the read and reports permission denied.
[00:00] So most projects have secrets that they store in .end files or other places that you don't want your AI to have access to. And what you can do in Clod is invoke the slash permissions command. We'll tab over to deny and we'll tell it to deny reading in our current directory the .env file. We'll hit enter and this will create a file once I hit enter here inside of our .cloud directory called settings.local.json and it adds this to the deny list. Now I'm going to hit escape out of here.
[00:35] I cleared out my session and I'll ask it to please read the .env file. It will attempt to call the read tool with .env but get a permission denied warning. So as a primary security measure it's best to set up your deny list first, keep your secret safe, so that even if you're ever exposed to a rogue MCP tool or some sort of prompt poisoning or other security issues that arise from AI dev tooling, Clawd will know that it's never allowed to use this sort of tool on these files.