Claude Code reads forbidden hidden files
Anthropic's Claude Code simply doesn't understand the word ignore: it continues to read passwords and API keys even if the secret file is locked.
Anthropic's Claude Code simply doesn't understand the word ignore: it continues to read passwords and API keys even if the secret file is locked.
Developers often keep secrets—passwords, tokens, and API keys—in special .env files directly in their project folders. However, this requires them to ensure that such files are not publicly available in .git repositories.
A common way to do this is to create an entry in the .gitignore file that tells the developer's Git software to ignore this file when copying the local repository to the remote server.
Claude implements something similar — the .claudeignore file.
When Claude was asked, “If I create a .env file, how do I prevent you from reading it?” he replied, “You can add .env to the .claudeignore file in the root of your project. It works just like .gitignore — Claude Code will refuse to read any files that match the patterns specified there.”
But Claude is wrong. As described in a Pastebin post, Claude can read the contents of the .env file, despite the entry in the .claudeignore file that should block access.
The Register reproduced this by creating a directory, adding an .env file with test secrets and a .claudeignore file with the entries “.env” and “.env.*”, and then running Claude Code (v2.1.12) via the command line interface (CLI).
“We asked Claude to read the .env file, and he did so — which wouldn’t have happened if Claude had followed the rules in .claudeignore,” the publication noted.
This has potential security implications, especially for agents—such tool-supported AI models can be forced to reveal stored secrets via indirect prompt injections.
In addition, Claude will also ignore the presence of ".env" in the .gitignore file. It does this despite a default /config flag that sets "Respect .gitignore in file picker" to "true".
In fact, when asked to read a .env file in a project with a .gitignore entry that contains “.env,” Claude dutifully prints the secrets to the console with the following warning: “Note: This file contains credentials. Be careful about submitting it to a version control system — make sure .env is listed in your .gitignore.”
Claude’s willingness to ignore .claudeignore directives is mentioned in a public issue on the Claude Code GitHub repository titled "[HIGH PRIORITY] Claude exposes secrets/tokens in tool output — data is not hidden." The user who opened this ticket two days ago notes: "This is a critical security issue that needs to be addressed urgently."
There are methods to make Claude stay as far away from secrets as possible that seem to work — for example, defining access permissions in the settings.json file located in the .claude directory of the project.
When The Register journalists created such a file, Claude threw an error: “The .env file is blocked by permissions settings. This is expected behavior — .env files typically contain secrets (API keys, passwords, database credentials), so they are excluded from tool access as a security measure.”
But configuring these permission settings can be tricky — the bug report raising this concern includes a response explaining that Claude's syntax for absolute paths starts with two "//"s instead of "/"s as Linux and macOS users might expect. Developers have also reported issues with the @ file reference syntax in settings.json. There are other issues, such as permissions.deny not preventing files from being loaded into memory.
“If settings.json is to be the only supported way to deny Claude access to files, Anthropic should make it clearer that .claudeignore is not an option. The model’s own recommendations should follow best practices, not mislead people,” the publication suggested.
Claude Code users reported a drop in limits: Anthropic referred to the end of the holiday bonus
Claude Code users reported a drop in limits: Anthropic referred to the end of the holiday bonus
Developer Claude Code said he is hiring programmers to complete side quests
Developer Claude Code said he is hiring programmers to complete side quests
Anthropic launches Claude Code in Slack, allowing developers to delegate coding tasks directly from chat threads
Anthropic launches Claude Code in Slack, allowing developers to delegate coding tasks directly from chat threads
Read the country's main IT news in our Telegram
Read the country's main IT news in our Telegram
