Claude Code will read your .env files, even if you tell it not to.
In retrospect, maybe I shouldn’t be shocked. I’ve got cold hard evidence Claude Code will read your .env file secrets even if you tell it not to. It did it twice for good measure (you can see some excerpts from my conversation below). Apparently this is not a new phenomenon and has made the rounds. While pulling my hair out over this, I found this blog post by Filip Hric, with a very neat solution leveraging 1Password to load the secrets at runtime.