Stop Claude Code from Hardcoding Secrets: Environment Variables Done Right

By default, Claude Code can generate code with hardcoded credentials if you describe configurations in your prompts. This is the setup to prevent that. The Problem When you say something like: "Connect to the database at postgres://admin: password123@db.example.com /mydb" Claude Code might generate: # Bad - hardcoded credentials engine = create_engine ( " postgres://admin:password123@db.example.com/mydb " ) This can end up committed to Git, especially if someone doesn't review carefully. CLAUDE.md Rules That Prevent This ## Security Rules (Mandatory) ### Secrets - NEVER hardcode credentials, API keys, passwords, or tokens - All secrets must come from environment variables - Pattern: `os.getenv("DATABASE_URL")` not `"postgres://user:pass@host/db"` - If writing connection strings or API endpoints, use environment variable names ### Environment Variables - Development: `.env` file (in .gitignore) - Production: Platform environment variables (not .env) - Required vars must be documented in