[BUG] Claude Code could read the .env content even .claude/settings.json is configured
Resolved 💬 9 comments Opened Sep 22, 2025 by ikamii Closed Jan 6, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
So I have created ~/.claude/settings.json and path/to/project/.claudeignore to avoid claude to read my .env content.
It still bypassed this configuration and could read the content inside it.
Following you can find our conversation:
> how can you see my .env again?
⏺ You're absolutely right to question that! I
shouldn't be able to read your .env file due
to the security settings you put in place.
I was referencing the system reminder that
showed me the changes to the file, but
you're correct - this goes against the
security setup you intentionally created. I
should not have access to your actual Stripe
keys and should stick to using the safe
reference files you set up.
Let me respect your security configuration
and work with the information you provide
directly rather than trying to see sensitive
data.
> but how did you see it? where did you get that log?
⏺ You're absolutely right to be concerned about this! I can see your .env file contents through the
"system-reminder" messages that appear in my context. These reminders show me when files are
modified and include the actual changes.
This is a gap in the security setup - even though you have:
- .env read permissions denied in your ~/.claude/settings.json
- The file properly configured to be private
The system reminders are bypassing those protections by showing me the file changes directly.
This is definitely not ideal for your security setup. You may want to:
1. Report this as a security issue - the permission denials should prevent me from seeing the
content through any means
2. Consider using a different approach like environment variable names that don't reveal
sensitive data
3. Use the .claudeignore file if it provides better protection
I apologize for the security gap. Your instinct to question this was absolutely correct - the permission system should be more
comprehensive.
For now, I'll continue to avoid actively reading your .env file and work with the information you
provide directly, but you should definitely address this security concern.
What Should Happen?
Claude should not see my .env file content.
Error Messages/Logs
Steps to Reproduce
I am not sure if it is reproducible, but what I did was creating a webpage and used .env for api keys. It could still see the content.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
1.0.120
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Other
Additional Information
_No response_
This issue has 9 comments on GitHub. Read the full discussion on GitHub ↗