20 of the best prompts for avoiding hardcoded credentials, step by step across 4 stages. Works with ChatGPT, Claude, and Gemini.
20 of the best prompts for avoiding hardcoded credentials, step by step across 4 stages. Works with ChatGPT, Claude, and Gemini.
Published June 28, 2026
Embedding API keys, passwords, or tokens directly in source code can lead to security vulnerabilities and unauthorized access. This practice makes it difficult to manage and rotate credentials securely. These prompts guide developers to identify, fix, and prevent hardcoding of sensitive information using Windsurf. Built across 4 distinct stages covering Diagnose the Wall, Isolate and Fix, Verify the Resolution and more, this guide gives you one expert prompt per step so you never have to write from scratch or guess what the AI needs. The prompts work in ChatGPT, Claude, and Gemini and are designed to get usable output on the first try.
Identify where credentials are hardcoded in the codebase.
Identify Hardcoded Keys
Scan the provided codebase for any instances of hardcoded API keys, passwords, or tokens. Generate a detailed report that lists the files containing these sensitive credentials, along with the specific line numbers for each instance. In addition, explain the potential security risks associated with hardcoding these credentials and suggest best practices for securely managing them. Ensure the report is formatted clearly and organized for easy reference.
Check for Sensitive Data
Analyze the following files for any embedded sensitive data: [LIST OF FILES]. Specifically, look for hardcoded credentials, API keys, or any other sensitive information that should not be publicly accessible. Provide a detailed report of your findings, including the exact lines where sensitive data is found, and offer recommendations for securing this information. Additionally, summarize the potential risks associated with leaving this data exposed, explaining how it could impact the organization.
Locate Credential Patterns
Analyze the following codebase for patterns that resemble hardcoded credentials. Provide a detailed list of any occurrences you find, including the specific file names and line numbers where these patterns appear. Additionally, categorize the types of credentials identified, such as API keys, passwords, or tokens, and suggest best practices for securing them.
Review Recent Changes
Review the recent commits for the [PROJECT NAME] project. Analyze the code changes to identify any instances of hardcoded credentials, and provide a detailed summary of your findings. Include specific files and lines where hardcoded credentials are present, outline the potential security risks associated with these instances, and offer recommendations for best practices to avoid hardcoding sensitive information in the future. Format your response as a structured report with clear headings for each section.
Analyze Configuration Files
Analyze the provided configuration files for any instances of hardcoded sensitive information, including API keys, passwords, or personal data. For each identified issue, specify the exact line or section where the sensitive information appears, explain the potential risks of leaving this information hardcoded, and recommend best practices for securely managing sensitive data in configuration files. Present your findings in a structured report that summarizes the issues and outlines actionable steps to mitigate the risks.
Remove hardcoded credentials and replace them with environment variables.
Replace with Environment Variables
Identify all hardcoded credentials in the provided code: [CODE SNIPPET]. For each credential, replace it with an appropriate environment variable and provide the updated code snippets for each change. Ensure to include comments that explain what each environment variable represents. Additionally, provide detailed instructions on how to set these environment variables in a local development environment and outline any necessary steps to ensure the application can access them correctly.
Create Environment Variable File
Create a .env file that includes placeholders for the following credentials: [DATABASE_URL], [API_KEY], [SECRET_KEY], and [OTHER_CREDENTIALS]. Format the file with each variable on a new line in the format VARIABLE_NAME=PLACEHOLDER. Above each line, provide a brief explanation of the purpose of each credential in comments, ensuring that no actual sensitive data is included in the file.
Update Configuration Management
Update the configuration files to replace all hardcoded values with environment variables. Ensure that sensitive information, such as API keys and database credentials, is securely referenced through these variables. Provide the updated configuration files in a clear format, highlighting the specific changes made. Include detailed instructions for setting up the environment variables and a brief explanation of the benefits of using environment variables for configuration management, focusing on security and flexibility.
Refactor Code for Security
Refactor the following code to enhance security by eliminating the direct embedding of sensitive information such as API keys, passwords, or credentials. Ensure that sensitive data is stored in environment variables or secure vaults instead. Provide the updated code sections, highlighting the changes made to improve security practices. Additionally, explain the security risks associated with hardcoding credentials and detail the benefits of using environment variables or secure vaults for sensitive information management.
Implement Secure Storage
Suggest a secure method for storing and accessing credentials in the [PROJECT NAME] project. Outline best practices for credential management, including encryption techniques, access controls, and secure storage solutions. Provide detailed implementation steps with code examples where applicable, and explain how to avoid hardcoding credentials in the source code. Additionally, discuss strategies for securely managing and rotating credentials over time to maintain security.
Ensure all hardcoded credentials are removed and replaced correctly.
Confirm No Hardcoded Keys
Re-scan the codebase for any hardcoded API keys, passwords, or tokens. Provide a detailed verification report that outlines your findings, including the specific locations of any hardcoded credentials discovered. Additionally, summarize the overall security posture regarding sensitive information in the code and offer recommendations for best practices to prevent hardcoding sensitive data in the future.
Validate Environment Variable Usage
Review the following code for proper usage of environment variables: [CODE SNIPPET]. Validate that all sensitive data references are using environment variables and identify any instances of hardcoded sensitive data. For each identified instance, explain the security implications of hardcoding and provide a corrected version of the code snippet that demonstrates the appropriate use of environment variables.
Test Configuration Files
Run a test to verify that the configuration files for the windsurf-hardcoding-credentials use environment variables correctly. Check for discrepancies or issues in the implementation of these variables and provide a detailed report of the test results. Include any errors encountered, the expected outcomes, and indicate whether the configuration files passed or failed the test. Additionally, suggest necessary corrections or improvements based on your findings.
Review Code Changes
Review the code changes made to replace hardcoded credentials in the project. Ensure that all instances of hardcoded credentials have been removed and replaced with secure alternatives. Verify that the new implementation adheres to best practices for security, including proper handling of sensitive information. Identify any potential vulnerabilities or areas for improvement, and summarize your findings in a structured report format that includes sections for strengths, weaknesses, and recommendations.
Check Secure Storage Implementation
Verify the implementation of the secure storage method for hardcoding credentials in the project. Assess whether this method adheres to best practices for security and data protection. Provide a detailed confirmation report that includes an overview of the implementation, any potential vulnerabilities identified, recommendations for improvement, and a summary of compliance with security standards. Ensure the report is structured clearly with headings for each section to enhance readability.
Establish practices to avoid future hardcoding of credentials.
Draft CLAUDE.md Rule
Draft a new rule for the CLAUDE.md documentation that focuses on preventing the hardcoding of credentials in code. Clearly explain the rationale for avoiding hardcoded credentials, provide specific examples of what hardcoding looks like, and outline best practices for securely managing credentials. Include the exact text to be added to the documentation based on recent fixes, ensuring it is actionable for developers. Format the rule using bullet points or numbered lists to enhance readability and implementation.
Create Code Comment Template
Design a code comment template that emphasizes the importance of using environment variables for sensitive data. Include a clear reminder to avoid hardcoding credentials, an example demonstrating how to access environment variables in code, and a note explaining the significance of maintaining security when handling sensitive information. Structure the template for easy readability and ensure it can be easily integrated into various codebases.
Develop Session-Opener Checklist
Create a detailed session-opener checklist for developers to review at the start of each coding session. The checklist should include specific items to verify, such as ensuring there are no hardcoded API keys, checking for database passwords, identifying any sensitive information embedded in the code, verifying environment variable usage, and confirming that all credentials are stored securely. Format the checklist in a clear, bullet-point style for easy reference during coding sessions, and ensure it covers at least ten actionable items.
Establish Naming Conventions
Propose a comprehensive set of naming conventions for environment variables that clearly indicate their purpose and usage. Include specific examples for naming variables related to DATABASE CONNECTIONS, API KEYS, and APPLICATION SETTINGS. Ensure that the conventions promote clarity and consistency, making it easy for developers to understand the role of each variable at a glance. Additionally, provide detailed guidelines on how to handle SENSITIVE INFORMATION within these naming conventions to ensure security and compliance.
Implement Project Guard
Propose a project guard mechanism that automatically detects hardcoded credentials during the development process. Describe the specific steps for implementing this mechanism, including its integration with the existing development workflow. Identify the technologies or frameworks that could be utilized, specify the types of credentials to check for, and explain how developers will be notified of any violations. Additionally, outline best practices for maintaining this guard mechanism to ensure its effectiveness over time.
Use Windsurf's custom rules feature to enforce the use of environment variables instead of hardcoding credentials. This ensures that sensitive data is managed securely.
Cascade mode allows Windsurf to make autonomous edits across multiple files, which can be useful for refactoring code to remove hardcoded credentials efficiently.
Create a .env file to store environment variables and configure Windsurf to read from this file during runtime. This keeps sensitive information out of the source code.
Yes, Windsurf can scan your codebase for patterns that resemble hardcoded credentials and report their locations for further action.
Include rules that enforce security best practices, such as using environment variables for sensitive data, to guide Windsurf's behavior and prevent credential hardcoding.
AI Prompts for Prevent Hardcoding of Credentials
Embedding API keys directly in source code can lead to security vulnerabilities and make it difficult to manage sensitive information.
See promptsAI Prompts for Prevent Hardcoding Credentials in Code
Embedding API keys directly in source code can lead to security vulnerabilities and accidental exposure of sensitive information.
See promptsAI Prompts for Avoiding Hardcoded Credentials
Embedding API keys, passwords, or tokens directly in source code exposes sensitive information.
See prompts