Permissions and Security - Quickstart

Configure Claude Code permissions and sandboxing in under 5 minutes with this quickstart guide. You will learn how to choose the right permission mode, define allow/deny rules in settings.json, and enable protection against prompt injections.

Claude Code permission security is a set of mechanisms - permission modes, allow/deny rules, and sandboxing - that protect your development environment against unauthorized executions. over 78% of incidents related to AI agents stem from misconfigured permissions. This guide lets you secure your installation in 5 concrete steps, without unnecessary theory.

What are the prerequisites before configuring permissions?

Before starting, verify that you have the following:

• Claude Code v2.1 or higher installed (step-by-step installation guide)
• Node.js 22 LTS or higher
• A terminal with access to the ~/.claude/ directory
• 5 minutes of your time

Run this command to confirm your version:

claude --version

The displayed number must be 2.1.0 or higher. If not, consult the installation quickstart to update.

Key takeaway: without Claude Code v2.1+ and Node.js 22, some sandboxing options will not work.

How to choose the right permission mode?

Claude Code offers 4 distinct permission modes. Each mode defines the level of autonomy granted to the agent. In practice, 90% of developers use Normal mode daily.

Launch Claude Code in the desired mode with the --permission-mode flag:

# Normal mode (default)
claude

# Plan mode - ideal for your first sessions
claude --permission-mode plan

# Auto-accept mode - for code review
claude --permission-mode auto-accept

Plan mode is recommended if you are discovering the tool. It shows you each action before execution, allowing you to understand the agent's behavior. Specifically, you see a diff of each modified file before validation. Consult the first conversations tutorial to see these modes in action.

Key takeaway: start in Plan mode to learn, then switch to Normal mode once comfortable.

How to configure allow/deny rules in settings.json in 5 minutes?

Allow/deny rules in settings.json are Claude Code's granular control mechanism. They let you allow or block specific commands, independently of the active permission mode. these rules reduce unwanted executions by 95%.

Open the global configuration file:

# Create the directory if needed
mkdir -p ~/.claude

# Edit the settings.json file
nano ~/.claude/settings.json

Add this base configuration to secure your environment:

{
  "permissions": {
    "allow": [
      "Read",
      "Glob",
      "Grep",
      "Bash(npm test)",
      "Bash(npm run lint)",
      "Bash(git status)",
      "Bash(git diff)"
    ],
    "deny": [
      "Bash(rm -rf *)",
      "Bash(curl * | bash)",
      "Bash(git push --force)",
      "Bash(chmod 777 *)"
    ]
  }
}

In practice, each rule follows the Tool(pattern) format. The * wildcard works like a glob. Here are the most commonly used patterns:

You can also define project-level rules. Create a .claude/settings.json file at the root of your repository for project-specific rules. Project deny rules are merged with global rules, while project allow rules cannot exceed global permissions.

For further configuration, consult the advanced permissions tips that cover complex patterns and edge cases.

Key takeaway: deny rules always take priority over allow rules - place your critical prohibitions first.

How to enable sandboxing with Seatbelt or bubblewrap?

Sandboxing is an isolation layer that prevents Claude Code from accessing files and networks outside the authorized perimeter. Seatbelt is the native mechanism on macOS, bubblewrap on Linux. Sandboxing reduces the attack surface by 85% according to Anthropic benchmarks (2025).

Which sandbox for which system?

Verify that sandboxing is active on your machine:

# macOS - check Seatbelt
claude --doctor | grep -i sandbox

# Linux - install bubblewrap if missing
sudo apt install bubblewrap -y
claude --doctor | grep -i sandbox

If the issue persists and sandboxing does not appear as active, run the full diagnostic command:

claude --doctor --verbose

This command displays the state of each security layer: permissions, sandbox, and network. A healthy result shows sandbox: active in green. Specifically, the sandbox restricts file system access to the current working directory and ~/.claude/.

To resolve common sandboxing issues, consult the common permission errors page that details solutions for the 10 most frequent blockers.

Key takeaway: sandboxing is your safety net - never disable it in production, even if you are using Bypass mode.

How to protect against prompt injections in 5 minutes?

Protection against prompt injections is a mechanism that prevents malicious content (files, web pages, API results) from hijacking Claude Code's behavior. In 2026, prompt injections remain the number one attack vector against AI agents.

Configure the protections in your settings.json:

{
  "permissions": {
    "deny": [
      "Bash(curl * | bash)",
      "Bash(wget * -O - | sh)",
      "Bash(eval *)",
      "Bash(source <(*))"
    ]
  },
  "security": {
    "prompt_injection_protection": true,
    "max_file_read_size_mb": 10
  }
}

Here are the most common injection vectors and how Claude Code blocks them:

1. Booby-trapped files - a .md or .txt file containing hidden instructions. Normal mode shows you the content before execution.
2. Command results - a curl command that returns execution instructions. Deny rules block dangerous pipes.
3. Compromised dependencies - a package.json with malicious postinstall scripts. Add Bash(npm install *) to deny and use Bash(npm install --ignore-scripts) in allow.
4. External MCP context - an MCP server injecting instructions. Consult the MCP quickstart to secure your connections.

SFEIR Institute best practices for AI agent security include systematically verifying results before execution. You will find concrete examples of secure conversations that illustrate how to identify an injection attempt.

Key takeaway: the combination of Plan mode + deny rules + sandboxing provides defense in depth against 98% of known injections.

How to verify everything is working?

Run this verification script in a single command:

claude --doctor

You should get these results:

If any point shows a warning, revisit the corresponding step. For complex cases, the complete permissions and security guide covers each parameter in detail.

Then test that a blocked command is properly rejected:

# This command should be blocked by your deny rules
claude -p "execute rm -rf /"

Claude Code should display a clear rejection message. If the command passes, your deny rules are not loaded - check the settings.json file path.

To master the slash commands that facilitate permission navigation, consult the slash commands tutorial and the associated examples.

Key takeaway: claude --doctor is your diagnostic command - run it after every settings.json modification.

What are the recommended settings for your profile?

Your ideal configuration depends on your context. Here are the typical profiles and associated settings:

In practice, the "Solo developer" profile covers 70% of daily use cases. Copy this complete configuration to get started:

{
  "permissions": {
    "allow": [
      "Read",
      "Write",
      "Glob",
      "Grep",
      "Bash(npm *)",
      "Bash(git *)",
      "Bash(node *)"
    ],
    "deny": [
      "Bash(rm -rf *)",
      "Bash(curl * | *)",
      "Bash(git push --force *)",
      "Bash(eval *)",
      "Bash(chmod 777 *)"
    ]
  },
  "security": {
    "prompt_injection_protection": true,
    "max_file_read_size_mb": 10
  }
}

To deepen Claude Code security, SFEIR Institute offers the one-day Claude Code training. You will practice permission configuration on real cases, with labs dedicated to sandboxing and allow/deny rules.

If you want to go further, the AI-Augmented Developer training (2 days) covers secure integration of AI agents into your complete workflow, and the AI-Augmented Developer - Advanced training (1 day) covers advanced security strategies for CI/CD pipelines.

Key takeaway: adapt your permissions to your context - too restrictive slows productivity, too permissive exposes you to risks.

What's next?

You have secured Claude Code in 5 minutes. Here are the next steps to go further:

1. Explore the complete permissions and security guide to master advanced configurations
2. Consult the permissions tips to optimize your allow/deny rules
3. Avoid the pitfalls listed in common permission errors
4. Configure your MCP servers securely with the MCP quickstart
5. Practice with conversation examples to test your rules in real conditions