20 of the best prompts for avoiding hardcoded credentials, step by step across 4 stages. Works with ChatGPT, Claude, and Gemini.
20 of the best prompts for avoiding hardcoded credentials, step by step across 4 stages. Works with ChatGPT, Claude, and Gemini.
Published June 28, 2026
Hardcoding API keys, passwords, or tokens in source code exposes sensitive information. This can lead to security vulnerabilities and unauthorized access. These prompts help developers identify and replace hardcoded credentials with environment variables effectively. Built across 4 distinct stages covering Diagnose the Wall, Isolate and Fix, Verify the Resolution and more, this guide gives you one expert prompt per step so you never have to write from scratch or guess what the AI needs. The prompts work in ChatGPT, Claude, and Gemini and are designed to get usable output on the first try.
Identify where sensitive information is hardcoded in your codebase.
Identify Hardcoded Keys
Please scan the current code file for any instances of hardcoded API keys, passwords, or tokens. Identify each occurrence and provide a brief explanation of the potential security risks associated with hardcoding sensitive information. Additionally, suggest best practices for securely managing credentials in the codebase. Format your findings in a clear, organized list, including the line numbers where each instance is found.
Check for Sensitive Patterns
Please analyze the provided code for any patterns that may indicate the presence of sensitive information, such as API keys, passwords, or other credential formats. Identify and list any lines that appear suspicious or contain sensitive data, and provide a brief explanation of why each identified line is concerning. Additionally, suggest best practices for securing sensitive information in the codebase to prevent hardcoding credentials.
Analyze Recent Changes
Please analyze the latest changes in the file named [FILE NAME] to determine if any credentials have been added recently. Summarize your findings in a clear and concise manner, highlighting any specific lines where credentials were introduced, the type of credentials identified (e.g., API keys, passwords), and any potential security implications. Additionally, suggest best practices for managing credentials securely in the codebase. Format the summary as a report with bullet points for clarity.
Search for Plaintext Secrets
Examine the provided code for any instances of plaintext secrets that should be secured. Identify and list specific lines or sections where sensitive information, such as API keys, passwords, or tokens, is exposed in plaintext. For each identified instance, provide a brief explanation of why it is a security risk and suggest best practices for securing these secrets, such as using environment variables or secret management tools. Format your findings in a clear and organized manner, highlighting the lines of code and your recommendations.
Review for Environment Variables
Please review the provided code and identify any instances where sensitive data is hardcoded instead of being stored in environment variables. For each instance you find, provide a brief explanation of the potential security risks associated with hardcoding this data. Additionally, suggest how to refactor the code to utilize environment variables properly. Format your response as a list, clearly indicating the line numbers or sections of the code where changes are needed.
Replace hardcoded credentials with environment variables to secure sensitive information.
Replace with Env Variables
Identify each hardcoded credential in the provided code snippet and suggest a method to replace it with an environment variable. For each credential, explain the rationale behind using environment variables for security and maintainability. Additionally, provide example code demonstrating how to implement the changes, including how to access the environment variables in the code. Ensure the examples are clear and follow best practices for handling sensitive information.
Create .env Template
Create a template for a .env file that includes all necessary environment variables for a project. The template should cover common credentials such as database connection strings, API keys, and any other sensitive information that needs to be stored securely. Please format the output with placeholder values, using descriptive names for each variable, and include comments to explain the purpose of each variable. Ensure that the template is clear and easy to understand for someone setting up the project for the first time.
Refactor Code for Security
Refactor the following code to enhance security by ensuring that all sensitive information, such as API keys and database credentials, is accessed through environment variables. Please provide the refactored code along with comments explaining how each sensitive piece of information is retrieved from the environment variables. Additionally, include a brief explanation of the importance of using environment variables for security in software development. The original code is as follows: [INSERT ORIGINAL CODE HERE].
Guide on Env Setup
Please provide a detailed guide on setting up environment variables for a project. Include specific steps for configuring environment variables in both local and production environments. For the local setup, explain how to create a `.env` file, what format to use, and how to load these variables in the application. For the production environment, outline best practices for securely managing these variables, including any tools or services that can be used. Make sure to include examples of common environment variables that might be needed for a typical project.
Validate Env Usage
Please review the refactored code to ensure it correctly accesses environment variables. Identify any instances where hardcoded credentials may still exist and provide a detailed report on your findings. Include specific lines of code where issues are present, suggest appropriate corrections, and explain the importance of using environment variables for security. Additionally, summarize best practices for managing sensitive information in code.
Ensure that all sensitive information is now secured using environment variables.
Confirm No Hardcoding
Please re-scan the provided codebase to verify that there are no hardcoded credentials present. Create a detailed confirmation report that outlines your findings, including any instances of hardcoded credentials if found, along with their locations in the code. Additionally, provide recommendations for best practices to avoid hardcoding credentials in the future. The report should be structured clearly, with sections for findings, recommendations, and any relevant code snippets.
Test Env Variable Access
Please run a test to verify that the application correctly accesses all required environment variables. List each environment variable being accessed and indicate whether it was successfully retrieved or if there were any issues. If there are problems, provide specific details about which variables failed and any error messages encountered. Additionally, suggest potential solutions or steps to resolve the issues found during the test.
Check for Security Warnings
Analyze the following code for any security warnings related to credential management: [INSERT CODE HERE]. Specifically, look for hardcoded credentials, insecure storage practices, or any other vulnerabilities that could expose sensitive information. Provide a detailed list of any warnings found, including the line numbers where the issues occur and suggestions for how to resolve each warning. Additionally, summarize best practices for secure credential management that should be followed in this code.
Verify .env File Usage
Please verify the usage of the .env file in the application. Check that the file is correctly set up with the necessary environment variables, and confirm that the application is integrating these variables properly during runtime. Provide a summary of the key variables included, any potential issues with their configuration, and how the application behaves with and without the .env file. Additionally, outline any best practices for managing sensitive information in the .env file.
Run Security Audit
Please conduct a basic security audit on the provided code, focusing specifically on vulnerabilities related to credential handling. Identify any hardcoded credentials, insecure storage practices, or potential exposure points. After your analysis, provide a detailed summary of the findings, including recommendations for improving security and best practices for credential management. Ensure the summary is clear and actionable, highlighting the most critical issues first.
Implement practices to avoid hardcoding credentials in the future.
Draft CLAUDE.md Rule
Please draft a new rule for CLAUDE.md that addresses the issue of hardcoding credentials in code. The rule should clearly outline the reasons why hardcoding credentials is a security risk, provide examples of acceptable practices for managing credentials securely, and specify the consequences for non-compliance. Ensure the rule is concise yet comprehensive, ideally formatted as a bullet-point list for clarity. Include a section on best practices for developers to follow when handling sensitive information.
Add Code Comment
Please provide a code comment that reminds developers to use environment variables for storing sensitive data instead of hardcoding credentials directly in the codebase. The comment should clearly explain the importance of this practice for security and maintainability. Additionally, include an example of how to properly reference an environment variable in code. Format the comment in a way that is concise yet informative, suitable for inclusion in a code review.
Create Setup Checklist
Please create a detailed checklist for setting up environment variables in new projects. Include the following steps: defining the necessary environment variables, creating a .env file, ensuring the file is added to .gitignore, loading the variables in the application code, and testing to confirm that the variables are correctly set. Additionally, provide tips on best practices for managing sensitive information and how to handle different environments (development, staging, production). Format the checklist in a clear, numbered list for easy reference.
Define Naming Convention
Propose a comprehensive naming convention for environment variables that promotes consistency and clarity across projects. Include guidelines on how to structure variable names, such as using uppercase letters with underscores for separation, and suggest prefixes or suffixes that indicate the variable's purpose or context. Provide at least five examples of well-structured environment variable names, explaining the rationale behind each choice to illustrate how they align with the proposed convention.
Establish Project Guard
Help me design a project guard mechanism that automatically checks for hardcoded credentials during code reviews. Outline the key components needed for this system, including the technologies or tools that could be utilized, the process for integrating it into existing workflows, and how it will notify developers of any detected issues. Additionally, provide guidelines on how to configure the system for different programming languages and best practices for maintaining it over time. Include any potential challenges and solutions for effective implementation.
GitHub Copilot analyzes the open files and uses pattern recognition to identify lines that resemble common credential formats. It highlights these lines for review.
GitHub Copilot suggests changes but does not automatically modify code. It can propose replacing hardcoded credentials with environment variables, which developers can then implement.
GitHub Copilot can guide you through creating a .env file and configuring your project to use environment variables, ensuring secure management of sensitive data.
If Copilot misses a credential, manually review the code and use Copilot's suggestions to refactor it. Regular audits and code reviews can help catch such issues.
Use GitHub Copilot to draft CLAUDE.md rules and code comments that enforce best practices. Implement project guards to automate checks during code reviews.
AI Prompts for Prevent Hardcoding of Credentials
Embedding API keys directly in source code can lead to security vulnerabilities and make it difficult to manage sensitive information.
See promptsAI Prompts for Prevent Hardcoding Credentials in Code
Embedding API keys directly in source code can lead to security vulnerabilities and accidental exposure of sensitive information.
See promptsAI Prompts for GitHub Copilot for Code Completion
Developers often face challenges with code completion and suggestions, leading to inefficiencies.
See prompts