This setting denies reads of files that typically hold secrets, such as .env, environment variants, secrets folders, and credential files.
Even if you ask, Claude can’t open those paths.
That keeps keys and passwords out of the conversation context and out of logs.
When to use
- On any project with environment variables or credentials in the repo.
- When you share sessions or work in sensitive environments.
- As an extra layer against accidental secret exposure.
How to use
Apply the setting and adjust the list of denied paths to match where your secrets live.