Security and Configuration

Claude Code Permissions, Security Model, and Safe Usage

Understanding Claude Code's permission model, what data leaves your machine, how to configure safe defaults, and best practices for using agentic AI on real codebases.

What Claude Code Can Do — and What That Means

Claude Code is an agentic tool with real capabilities: it reads files, writes files, runs shell commands, and executes code. This is exactly what makes it powerful — and exactly why understanding its security model matters before you use it on sensitive projects.

Knowing what operations Claude Code can perform and how the permission system works lets you use it confidently without exposing your systems to unnecessary risk.

What Leaves Your Machine

Claude Code sends to Anthropic's API:

Your prompts and conversation history
File contents when Claude Code reads them
Command outputs when Claude Code runs shell commands

Claude Code does NOT:

Upload your entire codebase proactively
Store your code on Anthropic's servers between sessions (subject to Anthropic's privacy policy)
Share your code with other users

Practical implication: If you're working in an environment with strict data residency requirements, check Anthropic's current privacy policy and data processing agreements. For most development contexts, the same security considerations that apply to using any AI API apply to Claude Code.

The Tool Use Permission System

Every time Claude Code wants to take a potentially irreversible action, it presents a permission prompt. The categories of tools Claude Code uses:

Tool Category	Examples	Risk Level
File read	Read any file in your project	Low
File write	Modify or create files	Medium
Shell execute	Run npm, git, test commands	Medium–High
Web fetch	HTTP requests to external URLs	Medium

Configuring Auto-Permissions

You can configure Claude Code to auto-approve specific commands without prompting every time. This is done via the allowedTools setting or by responding "always" to a permission prompt.

To make approvals permanent in settings:

json

// ~/.config/claude-code/settings.json (or platform equivalent)
{
  "allowedTools": [
    "Bash(npm test*)",
    "Bash(npm run typecheck*)",
    "Bash(git status*)",
    "Bash(git diff*)"
  ]
}

This allows these specific commands to run without approval. Note the pattern syntax: Bash(npm test*) allows any command starting with npm test.

What to Auto-Approve (and What Not To)

Safe to auto-approve:

Test runners: npm test, npx vitest, pytest
Type checking: npm run typecheck, tsc --noEmit
Read-only git operations: git status, git diff, git log
Linters in check mode: eslint --fix if you trust the linter config

Require explicit approval each time:

git commit — you should review before committing
git push — never auto-approve
npm install [package] — review new dependencies explicitly
Database migrations
Any command that modifies infrastructure

Never auto-approve in production environments:

Deploy commands
Environment variable changes
Any command with --force or -f flags

The `--dangerously-skip-permissions` Flag

This flag disables all permission prompts and auto-approves every tool use. It exists for legitimate use cases:

Appropriate uses:

CI/CD pipelines where the full environment is controlled
Local automation scripts in sandboxed environments
Running Claude Code inside a Docker container with known-good code

Inappropriate uses:

Interactive development sessions on production codebases
Anything involving real credentials or live databases
Any context where you haven't reviewed what Claude Code might do

If you use this flag, always run Claude Code in a git repository so every change is tracked and reversible.

Git as Your Safety Net

The most important safety practice for Claude Code: always use it in a git repository with a clean working tree before starting a session.

bash

# Before a Claude Code session:
git status          # Confirm clean working tree
git stash           # Stash any in-progress work

# After a Claude Code session:
git diff            # Review all changes before committing
git add -p          # Stage changes interactively, file by file

If Claude Code makes changes you don't want:

bash

git checkout .      # Discard all unstaged changes
git clean -fd       # Remove untracked files Claude Code created

The git workflow gives you a precise, auditable record of everything Claude Code changed — and a clean recovery path.

CLAUDE.md Security Considerations

The CLAUDE.md file is read and trusted by Claude Code as instructions. If your repository accepts external contributions, be aware that a malicious CLAUDE.md in a pull request could contain instructions designed to manipulate Claude Code's behavior.

Best practice: review CLAUDE.md changes in pull requests with the same attention you'd give security-sensitive configuration files.

Sensitive Files

Claude Code will read any file it can access. If your project contains files with credentials, secrets, or sensitive data, take precautions:

Use .env files for credentials and ensure they're in .gitignore
Add sensitive file patterns to a project-level ignore configuration
For highly sensitive work, run Claude Code with limited directory access

Key Takeaways

Claude Code sends file contents to Anthropic's API when it reads them — understand what data leaves your machine
Use the permission system actively: auto-approve safe read-only and test operations, require approval for writes and git operations
Never use --dangerously-skip-permissions in interactive sessions on sensitive code
Always work in a git repository — it's your primary safety net for reviewing and reverting Claude Code's changes

---

Try It Yourself: Set up a settings.json for Claude Code that auto-approves your test runner and type checker but requires approval for all git operations and npm installs. Start a session and verify the permissions behavior matches your configuration.