20 of the best prompts for avoiding hardcoded credentials in code, step by step across 4 stages. Works with ChatGPT, Claude, and Gemini.
20 of the best prompts for avoiding hardcoded credentials in code, step by step across 4 stages. Works with ChatGPT, Claude, and Gemini.
Published June 28, 2026
Hardcoding API keys, passwords, or tokens in source code exposes sensitive information and poses security risks. This can lead to unauthorized access and data breaches. These prompts guide developers to identify, fix, and prevent such issues using Claude Code effectively. Built across 4 distinct stages covering Diagnose the Wall, Isolate and Fix, Verify the Resolution and more, this guide gives you one expert prompt per step so you never have to write from scratch or guess what the AI needs. The prompts work in ChatGPT, Claude, and Gemini and are designed to get usable output on the first try.
Identify where sensitive information is hardcoded in the codebase.
Identify Hardcoded Keys
Please scan the entire codebase for any hardcoded API keys, passwords, or tokens. Generate a detailed report that includes a list of files where these sensitive credentials are located, along with the specific line numbers for each instance. Additionally, provide a brief explanation of the potential security risks associated with hardcoded credentials and suggest best practices for securing sensitive information in the codebase. Format the report in a clear and organized manner for easy reference.
Check CLAUDE.md Compliance
Please analyze the following CLAUDE.md file content: [PASTE CONTENT]. Determine if the code complies with the guidelines regarding hardcoding credentials. Identify and list any specific violations, providing details on where they occur and suggestions for how to resolve them. Additionally, summarize the overall compliance status of the code with respect to credential management practices.
Locate Sensitive Strings
Please analyze the provided code for any strings that resemble sensitive information patterns, specifically looking for terms like 'key', 'secret', or 'token'. For each occurrence, provide the exact string found along with the surrounding lines of code to give context. Additionally, categorize the findings based on the type of sensitive information identified and suggest potential actions to secure these strings if they are indeed sensitive.
Analyze Recent Commits
Please analyze the last 10 commits in the repository and identify any changes that may have introduced hardcoded credentials. For each commit, provide a summary of the changes made, including the specific files affected and the lines of code where hardcoded credentials were found. Additionally, explain the potential security implications of these changes and suggest best practices for managing credentials securely in the codebase. Format your findings in a clear report with sections for each commit analyzed.
Review Configuration Files
Please review all configuration files in the project for any embedded sensitive information, such as API keys, passwords, or other credentials. For each instance of sensitive information found, provide the file path and the specific line number where it is located. Additionally, summarize the potential risks associated with exposing this information and suggest best practices for securing sensitive data in configuration files. Format your findings in a clear report that can be easily referenced.
Remove hardcoded credentials and replace them with environment variables.
Remove Hardcoded API Keys
Identify all instances of hardcoded API keys in the provided code. For each instance, replace the hardcoded key with an appropriate environment variable, ensuring that the code remains functional. Provide the updated code snippets along with a brief explanation of how to set the environment variables for different operating systems (e.g., Windows, macOS, Linux). Make sure to highlight any changes made and ensure that the code adheres to best practices for security and maintainability.
Replace Passwords with Env Vars
Identify all instances of hardcoded passwords in the provided codebase and replace them with environment variables. For each instance, explain the rationale behind using environment variables for security and provide the updated code sections with clear annotations. Additionally, include a brief guide on how to set up the environment variables in a development and production environment, ensuring that the process is secure and follows best practices.
Secure Tokens in Env Vars
Please review the provided code and identify all instances of hardcoded tokens. Replace each hardcoded token with an appropriate environment variable, ensuring that the code remains functional and secure. Display the modified code with comments explaining where each environment variable is used and how to set them up in the environment. Additionally, provide a brief summary of the security benefits of using environment variables for sensitive information.
Update Configuration Files
Please review the following configuration files that currently contain hardcoded credentials. For each file, identify the hardcoded credentials and provide a revised version that replaces these credentials with appropriate environment variables. Ensure that the new configurations maintain the same functionality as the original files. Present the updated configurations in a clear format, highlighting the changes made for easy comparison.
Refactor Code for Security
Refactor the following code sections that directly handle sensitive information, ensuring they utilize environment variables for security. The code should be modified to replace any hardcoded credentials or sensitive data with calls to environment variables. Please provide the updated code along with a brief explanation of the changes made and why using environment variables enhances security. Ensure the refactored code is clear and follows best practices for handling sensitive information.
Ensure all hardcoded credentials have been removed and replaced correctly.
Confirm No Hardcoded Keys
Please re-scan the codebase for any hardcoded API keys. I need a detailed confirmation report that specifies whether any hardcoded keys remain, along with a list of any issues found. If there are no issues, please confirm that the codebase is clean. If there are remaining hardcoded keys, provide their locations and suggestions for how to resolve these issues.
Validate Environment Variable Usage
Please review the codebase for the usage of environment variables to ensure that all sensitive information, such as API keys, database credentials, and any other confidential data, is properly stored and accessed through environment variables. Provide a detailed report that confirms compliance with this practice or highlights any discrepancies found. Include specific examples of any instances where sensitive information is hardcoded, and suggest corrective actions to improve security. The report should be structured with clear sections for compliance confirmation, discrepancies, and recommendations.
Test Configuration Files
Please run a comprehensive set of tests on all configuration files to verify their functionality with environment variables. Ensure that each file is checked for proper loading of variables and that there are no syntax or runtime errors. Document any errors or issues encountered during the testing process, including the specific file names and the nature of the errors. Provide a summary report detailing the overall success rate of the configuration files and any recommendations for fixes or improvements.
Review Security Logs
Please analyze the security logs from [START DATE] to [END DATE] for any unauthorized access attempts following the recent fix. Identify the number of attempts, the IP addresses involved, and the timestamps of each incident. Summarize your findings in a report format, highlighting any patterns or notable incidents, and provide recommendations for improving security measures based on the analysis.
Run Security Audit
Conduct a thorough security audit of the codebase to ensure that no sensitive information, such as hardcoded credentials or API keys, is exposed. Please analyze all files and configurations, and identify any potential vulnerabilities or areas of concern. Summarize your findings in a detailed report, including specific locations of any issues found, recommendations for remediation, and best practices for securing sensitive information in the future. The report should be clear and structured, making it easy to understand and act upon.
Implement safeguards to avoid future hardcoding of credentials.
Create CLAUDE.md Rule
Create a new rule for CLAUDE.md that addresses the issue of hardcoding credentials in code. The rule should clearly state the importance of keeping credentials secure and outline best practices for managing them, such as using environment variables or secure vaults. Include specific examples of what constitutes hardcoding credentials and provide a clear directive on how developers should handle sensitive information. Format the rule in a way that can be easily integrated into the existing documentation.
Add Code Comments
Please review the codebase and identify all instances where sensitive information, such as API keys or database credentials, is handled. For each instance, add clear and concise comments that remind developers to use environment variables instead of hardcoding these credentials. Additionally, provide examples of how to properly implement environment variables in the code. Ensure that the comments are informative and guide developers on best practices for managing sensitive information securely.
Develop Naming Conventions
Please develop a comprehensive naming convention for environment variables that manage sensitive information. Include a structured list of recommended names that clearly indicate the type of sensitive data they represent, such as database credentials, API keys, and encryption keys. Additionally, provide guidelines on how to format these names consistently, including the use of prefixes or suffixes to denote the environment (e.g., development, staging, production) and any best practices for maintaining security and clarity. Aim for a format that is easy to understand and implement across different projects.
Design Session-Opener Checklist
Create a comprehensive checklist for developers to use at the beginning of each coding session to prevent hardcoding sensitive information. The checklist should include items such as verifying that no API keys, passwords, or personal data are included in the code, ensuring that environment variables are used instead, and confirming that code is reviewed for security best practices. Additionally, include steps for documenting any sensitive information handling procedures and reminders for using secure storage solutions. Format the checklist in a clear, organized manner with bullet points for easy reference.
Implement Project Guard
Help me design a project guard that automatically checks for hardcoded credentials before code commits. The guard should include specific configuration settings such as the types of credentials to check (e.g., API keys, passwords), the programming languages it will support, and the integration process with the version control system. Additionally, outline how the guard will notify developers of any detected issues, including the format of the notifications and any recommended actions to resolve the problems. Provide a step-by-step implementation guide that ensures the guard is effective and easy to use.
Claude Code can scan your entire codebase for patterns that match sensitive information like API keys or passwords. Use specific prompts to identify and list these occurrences.
Replace all hardcoded credentials with environment variables. Claude Code can assist by showing you how to refactor the code and update configuration files accordingly.
Use Claude Code to check your code against the rules specified in CLAUDE.md. It can identify any violations and suggest necessary changes.
Yes, Claude Code can autonomously replace hardcoded credentials with environment variables and refactor your code to enhance security.
Implement rules in CLAUDE.md, use naming conventions, and set up project guards with Claude Code to automatically check for hardcoded credentials before commits.
AI Prompts for Prevent Hardcoding of Credentials
Embedding API keys directly in source code can lead to security vulnerabilities and make it difficult to manage sensitive information.
See promptsAI Prompts for Prevent Hardcoding Credentials in Code
Embedding API keys directly in source code can lead to security vulnerabilities and accidental exposure of sensitive information.
See promptsAI Prompts for Claude Code for Coding
Developers often face challenges in efficiently writing and debugging code.
See prompts