Developers remain unsure how to prevent access to sensitive data

Don't you hate it when machines can't follow simple instructions? Anthropic's Claude Code can't take "ignore" for an answer and continues to read passwords and API keys, even when your secrets file is supposed to be blocked.

Software developers often store secrets – passwords, tokens, API keys, and other credentials – in .env files within project directories. And if they do so, they're supposed to ensure that the .env file does not get posted in a publicly accessible .git repository.

A common way to do this is to create an entry in a .gitignore file that tells the developer's Git software to ignore that file when copying a local repo to a remote server.

Claude implements something similar, a .claudeignore file. 

When asked, "If I make a .env file, how do I keep you from reading it?", Claude responded, "You can add .env to a .claudeignore ...