How do I prevent Claude Code from reading my .env file?

Install failproof ai with npm install -g failproofai, then run failproofai policies --install. The block-env-files PreToolUse hook is on by default and refuses any read tool call or bash invocation that targets .env, .env.local, .env.production, and similar files.

What about printenv, env, and echo $VAR?

protect-env-vars blocks those at the same hook layer. The policy matches printenv, env, echo $VAR, and equivalent ways to dump environment variables into a tool result that would re-enter the model context.

What if the agent already read a secret before I installed failproof?

The PostToolUse sanitizers redact secrets that ended up in tool output: sanitize-api-keys covers Anthropic, OpenAI, GitHub, AWS, Stripe, and Google key formats; sanitize-connection-strings strips credentials from database URIs; sanitize-jwt redacts base64url JWT triplets; sanitize-private-key-content masks PEM blocks; sanitize-bearer-tokens redacts long Authorization tokens. The redacted output is what the model sees on the next turn.

Does this work for Claude Code, Codex, Cursor, and other agents?

Yes. failproof ai supports Claude Code, OpenAI Codex, Gemini CLI, GitHub Copilot, Cursor Agent, picode, and opencode. The hook integration is the same across all of them - the policies behave identically regardless of which harness is driving.

Prevent Claude Code From Reading .env Files

“the ai agent leaked my api key”

Pick any week in 2026 and there is a fresh story. A claude code session that leaked a stripe key into a github issue. A settings.local.json shipped to npm with 33 live credentials still inside. A cursor agent that read .env.productionto “debug a connection error” and pasted the database url back into chat. The mechanism is always the same - the model reads a file or env var it shouldn't, and the secret enters the agent context, which means it enters logs, summaries, and the next api call. Once it's in the context window, you have already lost.

Why “don't read .env” in the prompt isn't enough

The model doesn't need to be malicious to leak your .env. It just needs to think reading it is helpful - “let me check the database url to debug this connection error.” The harness obliges. The secret enters the context window. The secret leaves with the next API call, ends up in logs, gets summarized into a comment.

You can write “never read .env” in CLAUDE.md a thousand times. That is not enforcement. Hooks are.

The broader picture: preventing every claude code secret leak

.env is the most common surface but it is not the only one. To prevent a claude code secret leak in production you need to cover four channels: env files on disk, environment variables in the running process, secrets that appear in tool output (logs, error messages, command results), and secrets the agent decides to write somewhere new. failproof ai ships a policy for each. The rest of this guide walks through them in install order.

Install (60 seconds)

block-env-files, protect-env-vars, and the five sanitize-* policies are enabled by default. Run failproofai policies to confirm.

block-env-files (PreToolUse)

Refuses any read or shell invocation targeting an env file. Matches:

.env, .env.local, .env.development, .env.production, .env.test, .env.*
Direct read tool calls - Claude Code's read, cat, head, tail, less, more
Indirect reads - grep ANTHROPIC_API_KEY .env, source .env, . .env
Globbed reads - cat .env*, cat .env.*

Add additional secret files (config/credentials.json, .secrets, infra/*.tfvars) from the dashboard policy editor.

protect-env-vars (PreToolUse)

Even when the env file is locked, the agent can still read the running process's environment. protect-env-vars blocks that surface:

printenv with no arg (full dump)
env with no command (full dump)
echo $ANTHROPIC_API_KEY, echo "$AWS_SECRET_ACCESS_KEY", and any echo $VAR form matching a secret-pattern variable name
cat /proc/$$/environ and other process-table tricks

PostToolUse sanitizers (the safety net)

If a secret slips past the PreToolUse layer - for example because it's in an unrelated file the agent legitimately needed to read - the PostToolUse sanitizers redact it before the model sees the result. Five sanitizers ship by default:

sanitize-api-keys - Anthropic, OpenAI, GitHub, AWS, Stripe, and Google key formats
sanitize-jwt - base64url JWT triplets
sanitize-connection-strings - credentials in database connection URIs (postgres://, mongodb://, redis://, …)
sanitize-private-key-content - PEM blocks and private key data
sanitize-bearer-tokens - Authorization headers with 20+ character tokens

The redacted output is what re-enters the agent context window. The model never sees the raw secret, so it can't paste it into a follow-up tool call.

What Claude Code shows when a read is denied

block-env-files exits non-zero with a structured message: “refused to read .env - env file access is disabled by policy. if you need a specific value, ask the user to paste it.”The agent sees the deny, doesn't loop, and either asks the user for the value it needs or proceeds without it.

Get started

book a demo →