Course lesson

Protect Secrets from Being Read by Claude Code

Protecting secrets in Claude Code starts with permissions. Lock the workspace down with explicit deny rules.

Duration
1 min
Access
Free
Transcript
Needs source

Protecting secrets in Claude Code starts with permissions. Lock the workspace down with explicit deny rules.

The risk

Terminal
# .env
MY_SECRET="I love peanut butter"

Deny with /permissions

  1. Open the permissions manager:

    Terminal
    /permissions

  2. Add a Deny rule for the project:

    Read(./.env)

  3. Save to Project settings (local), which writes .claude/settings.local.json:

{
  "permissions": {
    "allow": [],
    "deny": ["Read(./.env)"],
    "ask": []
  }
}

Verify the guardrail

Prompt:

Please read the .env file.

Expected result: the system blocks the read and reports permission denied.