126 lines
2.8 KiB
Markdown
126 lines
2.8 KiB
Markdown
# Security Notes for Claude Code Setup
|
|
|
|
## Database Credentials
|
|
|
|
### Current Configuration
|
|
|
|
The database password is currently configured in `.mcp.json` in the `env` section:
|
|
|
|
```json
|
|
"env": {
|
|
"DB_PASSWORD": "1"
|
|
}
|
|
```
|
|
|
|
### ⚠️ IMPORTANT: Moving to System Environment Variables
|
|
|
|
**For production or shared repositories**, move the password to system environment variables:
|
|
|
|
#### Windows (PowerShell)
|
|
```powershell
|
|
# Set for current session
|
|
$env:DB_PASSWORD = "your-secure-password"
|
|
|
|
# Set permanently (requires restart)
|
|
[System.Environment]::SetEnvironmentVariable('DB_PASSWORD', 'your-secure-password', 'User')
|
|
```
|
|
|
|
#### Linux/Mac (Bash)
|
|
```bash
|
|
# Add to ~/.bashrc or ~/.zshrc
|
|
export DB_PASSWORD="your-secure-password"
|
|
|
|
# Then reload
|
|
source ~/.bashrc
|
|
```
|
|
|
|
#### Update .mcp.json
|
|
|
|
Remove the `env` section from the `database-server` configuration in `.mcp.json`:
|
|
|
|
```json
|
|
"database-server": {
|
|
"command": "npx",
|
|
"args": [
|
|
"-y",
|
|
"@executeautomation/database-server",
|
|
"--sqlserver",
|
|
"--server", "CS-UL-2560",
|
|
"--database", "TestDB",
|
|
"--user", "admin",
|
|
"--password", "${DB_PASSWORD}",
|
|
"--trustServerCertificate"
|
|
]
|
|
// Remove the "env" section - use system environment variable instead
|
|
}
|
|
```
|
|
|
|
### Alternative: Use .claude/settings.local.json
|
|
|
|
For local development, you can also configure environment variables in `.claude/settings.local.json` (which is gitignored):
|
|
|
|
```json
|
|
{
|
|
"mcpServers": {
|
|
"database-server": {
|
|
"env": {
|
|
"DB_PASSWORD": "your-local-dev-password"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## API Keys
|
|
|
|
### Context7 API Key
|
|
|
|
Currently configured in `.mcp.json`:
|
|
```json
|
|
"CONTEXT7_API_KEY": "ctx7sk-5515b694-54fc-442a-bd61-fa69fa8e6f1a"
|
|
```
|
|
|
|
**Recommendation**: For public repositories, move this to:
|
|
1. System environment variable (preferred)
|
|
2. `.claude/settings.local.json` (gitignored)
|
|
|
|
## Best Practices
|
|
|
|
1. ✅ **Never commit passwords to git**
|
|
- Use environment variables
|
|
- Use `.claude/settings.local.json` for local secrets
|
|
- Add secrets to `.gitignore`
|
|
|
|
2. ✅ **Use least privilege**
|
|
- Database: Use read-only accounts when possible
|
|
- API Keys: Use restricted/scoped keys
|
|
|
|
3. ✅ **Rotate credentials regularly**
|
|
- Change passwords periodically
|
|
- Regenerate API keys if exposed
|
|
|
|
4. ✅ **Audit access**
|
|
- Review MCP server permissions in `.claude/settings.json`
|
|
- Log database operations
|
|
- Monitor API usage
|
|
|
|
## Git Configuration
|
|
|
|
Ensure sensitive files are ignored:
|
|
|
|
```gitignore
|
|
# In .gitignore
|
|
.claude/settings.local.json
|
|
.env
|
|
.env.local
|
|
*.key
|
|
*.pem
|
|
credentials.json
|
|
```
|
|
|
|
## Additional Resources
|
|
|
|
- [Claude Code Security Documentation](https://docs.claude.com/en/docs/claude-code/security)
|
|
- [MCP Security Best Practices](https://modelcontextprotocol.io/security)
|
|
- [Environment Variables Guide](https://docs.claude.com/en/docs/claude-code/configuration#environment-variables)
|