brian austin

Posted on Apr 2

Claude Code .claudeignore: stop leaking secrets and node_modules into your context

#claudecode #ai #productivity #webdev

Claude Code .claudeignore: stop leaking secrets and node_modules into your context

If you've ever watched Claude Code read through thousands of lines of node_modules or seen it suggest changes to your .env file, you've hit one of the most overlooked configuration problems in Claude Code setups.

The fix is a .claudeignore file — and most developers don't know it exists.

What Claude Code reads by default

When you run Claude Code in a project directory, it can access everything in that directory. That includes:

node_modules/ — millions of lines of vendor code
.env — your API keys, database passwords, secrets
dist/ and build/ — compiled output you don't want edited
*.log files — debug noise
.git/ internals — usually irrelevant

This burns through your context window fast and introduces security risks when Claude has visibility into secret files.

.claudeignore syntax

The .claudeignore file uses the same syntax as .gitignore:

# .claudeignore
node_modules/
dist/
build/
.next/
.nuxt/
coverage/

# Secrets
.env
.env.local
.env.production
*.pem
*.key
secrets.json

# Logs
*.log
logs/

# Test artifacts
__snapshots__/
.jest-cache/

# Database files
*.sqlite
*.db
dump.sql

# Large data files
data/
datasets/
*.csv
*.json.gz

Place this file in your project root alongside your CLAUDE.md.

The security case for .claudeignore

Even if you trust Claude Code, there's a subtler risk: when Claude reads your .env, that content enters the conversation context. If you're using a proxy or logging tool in the chain, those values can be exposed.

Hard rule: always ignore .env and any file containing credentials.

# Secrets — always ignore these
.env
.env.*
*.pem
*.p12
*.key
credentials.json
service-account.json

The performance case

Context window space is limited. Every token Claude spends reading node_modules/lodash/index.js is a token it can't use for your actual code.

With a .claudeignore, Claude stays focused:

# Before .claudeignore: Claude reads
- src/ (your code)
- node_modules/ (2M+ lines)
- dist/ (compiled output)
- .env (secrets)
- *.log (debug noise)

# After .claudeignore: Claude reads
- src/ (your code)
- That's it.

For large projects this makes a measurable difference in response quality. Claude gives better answers when it's reading your code, not vendor code.

Combining .claudeignore with CLAUDE.md

Think of these as two layers:

CLAUDE.md — tells Claude how to behave (conventions, rules, preferences)
.claudeignore — tells Claude what not to see (files to exclude from context)

Together they define a clean workspace:

<!-- CLAUDE.md -->
# Project conventions
- TypeScript strict mode
- Tests required for all new functions
- Never commit directly to main

<!-- .claudeignore excludes everything Claude shouldn't touch -->

A complete .claudeignore for a Node.js project

# Dependencies
node_modules/
.pnp
.pnp.js

# Build output
dist/
build/
.next/
out/

# Environment and secrets
.env
.env.local
.env.development.local
.env.test.local
.env.production.local
*.pem

# Logs
npm-debug.log*
yarn-debug.log*
yarn-error.log*
*.log

# Runtime data
pids
*.pid
*.seed
*.pid.lock

# Coverage
coverage/
.nyc_output

# Cache
.cache/
.parcel-cache/
.eslintcache

# OS files
.DS_Store
Thumbs.db

A complete .claudeignore for a Python project

# Virtual environments
venv/
env/
.venv/
__pycache__/
*.pyc
*.pyo
*.pyd

# Distribution
dist/
build/
*.egg-info/
.eggs/

# Environment
.env
*.env
secrets.py
config/secrets.yml

# Data
data/
datasets/
*.csv
*.parquet
*.pkl

# Notebooks (optional — include if you want Claude editing notebooks)
# *.ipynb

# Logs
*.log
logs/

# Testing
.pytest_cache/
htmlcov/
.coverage

What to keep visible

Some files should stay visible even if you'd normally gitignore them:

README.md — project overview Claude needs
package.json / pyproject.toml — dependency list helps Claude suggest fixes
tsconfig.json — TypeScript config Claude needs to understand your setup
Makefile — if it defines your build commands

Don't over-ignore. The goal is signal-to-noise, not maximum exclusion.

Check what Claude is reading

You can see what files Claude Code has access to by running:

claude --list-files

Run this before and after adding .claudeignore to verify it's working.

Rate limits and context budget

If you're hitting Claude Code's rate limits, a .claudeignore won't directly help — rate limits are per-request, not context-size-based. But it does mean each request is more focused and you need fewer follow-up clarification requests.

For teams hitting rate limits regularly, pointing Claude Code at a proxy via ANTHROPIC_BASE_URL removes the caps entirely:

export ANTHROPIC_BASE_URL=https://simplylouie.com/api/claude

SimplyLouie runs at $2/month with no rate limits — useful when .claudeignore alone isn't enough to keep sessions flowing.

Summary

File	Purpose
`.claudeignore`	What Claude cannot see
`CLAUDE.md`	How Claude should behave
`settings.json`	What Claude is allowed to do

All three belong in your repo root. Together they give you a Claude Code setup that's focused, secure, and consistent across your team.

Add .claudeignore to your next project and run claude --list-files to verify. The context window you save is the context window you keep for actual work.

DEV Community

Claude Code .claudeignore: stop leaking secrets and node_modules into your context

Claude Code .claudeignore: stop leaking secrets and node_modules into your context

What Claude Code reads by default

.claudeignore syntax

The security case for .claudeignore

The performance case

Combining .claudeignore with CLAUDE.md

A complete .claudeignore for a Node.js project

A complete .claudeignore for a Python project

What to keep visible

Check what Claude is reading

Rate limits and context budget

Summary

Top comments (0)