← Back to catalog
HookSecurity↓ 57

Env File Protection

Stops Claude Code from writing to .env files and leaking secrets by accident.

Installation
npx claude-code-templates@latest --hook security/env-file-protection --yes

This hook runs on the PreToolUse event, specifically on Write tool calls. It uses a lightweight condition to check the write target.

When the destination file matches the .env pattern, the write is denied right away, preventing credentials from being overwritten or leaked by mistake.

When to use

  • When you keep secrets in .env files and want to protect them.
  • When several contributors use the agent and the overwrite risk is real.

How to use

After installing, any attempt to write to .env is blocked automatically. Edit those files manually when you need to.