Best PracticeFeb 8, 2026

Claude Code Security: Permissions, Sandboxing, and Safe Usage

Claude Code has a permission system that lets you control exactly what the AI can and cannot do. Here is how to configure it for safe development.

Claude Code runs commands and edits files in your environment. That power requires guardrails. The permission system lets you define exactly what Claude Code can access, what it can modify, and what actions require your explicit approval.

How does the Claude Code permission system work?

Claude Code has three permission modes that control how much autonomy the agent gets:

Mode	Behavior	Best for
Normal	Asks permission for each tool use	Learning, sensitive codebases
Auto-Accept	Approves safe actions, asks for risky ones	Daily development
Plan Mode	Plans changes, waits for approval before executing	Code review, architecture changes

How do you configure allow/deny rules?

Fine-grained permissions are set in settings.json. Use glob patterns to control which files and commands Claude Code can access:

json

// .claude/settings.json
{
  "permissions": {
    "allow": [
      "Read:**",
      "Edit:src/**",
      "Edit:tests/**",
      "Bash:npm run *",
      "Bash:git *"
    ],
    "deny": [
      "Edit:.env*",
      "Edit:*.secret",
      "Edit:credentials/**",
      "Bash:rm -rf *",
      "Bash:curl * | bash",
      "Bash:git push --force*"
    ]
  }
}

What files should you always protect?

+.env and .env.* files (API keys, database credentials)
+credentials/, secrets/, or any directory with sensitive data
+CI/CD configuration files (.github/workflows/, .gitlab-ci.yml)
+Infrastructure files (terraform/, docker-compose.prod.yml)
+Authentication configuration (auth.config.ts, oauth settings)

How does sandboxing work?

Claude Code uses filesystem sandboxing to restrict where the agent can operate. By default, it can only access files within your project directory. You can further restrict this with allow/deny rules.

bash

# Claude Code runs in a sandbox by default:
# ✅ Can read/write files in your project directory
# ❌ Cannot access files outside the project
# ❌ Cannot access system files
# ❌ Cannot access other users' home directories

# Add extra directories if needed:
claude --add-dir /path/to/shared/library

What are security best practices for Claude Code?

+Always protect .env files with deny rules
+Use Normal mode when working on sensitive code for the first time
+Review the diff before allowing commits (Plan Mode is great for this)
+Set --max-budget-usd to prevent runaway costs
+Use allowed-tools in Skills to limit what each skill can do
+Audit your MCP server permissions (use read-only database connections)
+Never use --dangerously-skip-permissions outside of CI/CD

WARNING

The --dangerously-skip-permissions flag disables all permission checks. Only use this in CI/CD pipelines with controlled inputs. Never use it in local development sessions.

Frequently asked questions

Can Claude Code access my clipboard or browser?+

No. Claude Code only accesses your filesystem and terminal. It cannot read your clipboard, access your browser, or interact with GUI applications. Its scope is limited to the tools you explicitly allow.

What happens if Claude Code tries a blocked action?+

It receives a "denied" response and tries a different approach. PreToolUse hooks can also block actions and provide a custom message explaining why. Claude Code adapts its behavior based on denials.

Are my code and prompts sent to Anthropic?+

Prompts and code context are sent to Anthropic's API for processing. Anthropic does not use this data for model training. For enterprise deployments, contact Anthropic about data retention policies and on-premise options.

How do I audit what Claude Code did in a session?+

Claude Code logs all actions in the session transcript. You can review what files were read, edited, and what commands were run. Use the /cost command to see resource usage. For team compliance, configure hooks to log actions to an audit file.

← ALL POSTS START FREE COURSE →