CC-HK-024: Headers Missing AllowedEnvVars - Claude Hooks

Summary

• Rule ID: CC-HK-024
• Severity: MEDIUM
• Category: Claude Hooks
• Normative Level: SHOULD
• Auto-Fix: Yes (safe)
• Verified On: 2026-03-28

Applicability

• Tool: claude-code
• Version Range: unspecified
• Spec Revision: unspecified

Evidence Sources

• https://code.claude.com/docs/en/hooks

Test Coverage Metadata

• Unit tests: true
• Fixture tests: false
• E2E tests: false

Examples

The following examples demonstrate what triggers this rule and how to fix it.

Invalid

{ "type": "http", "url": "https://ex.com", "headers": { "Authorization": "$TOKEN" } }

Valid

{ "type": "http", "url": "https://ex.com", "headers": { "Authorization": "$TOKEN" }, "allowedEnvVars": ["TOKEN"] }