diff --git a/.gitleaks.toml b/.gitleaks.toml
index 9a419bdb6..6f41b9941 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -1,12 +1,10 @@
 # gitleaks config — straw
 #
 # Straw is a YouTube Android client. Patterns flagged:
-#  - SharedPreferences key constants (KEY_SB_CATS, REQUEST_KEY) — identifier
-#    strings, not credentials
+#  - SharedPreferences key constants — identifier strings, not credentials
 #  - GOOGLE_API_KEY in PoTokenWebView.kt — the InnerTube public API key
 #    every YouTube client (web, Android, iOS, NewPipe, all forks) ships
-#    hardcoded. Public-by-design; YouTube enforces auth via other channels
-#    (visitor data, po_token).
+#    hardcoded. Public-by-design; YouTube enforces auth via other channels.
 
 [extend]
 useDefault = true
@@ -17,6 +15,7 @@ regexTarget = "line"
 regexes = [
     # InnerTube hardcoded key, public on every YouTube client
     '''GOOGLE_API_KEY\s*=\s*"AIza[A-Za-z0-9_-]{35}"''',
-    # SharedPreferences keys — identifier string, not a credential
-    '''(private\s+)?(const\s+val|val|var|final\s+(static\s+)?String)\s+(KEY|REQUEST_KEY|PREF_KEY)_[A-Z_]+\s*=''',
+    # Any const val whose name contains KEY — these are SharedPreferences
+    # / request-tag identifier strings, never credentials
+    '''(private\s+)?const\s+val\s+\w*KEY\w*\s*=\s*"''',
 ]