Permissions and Security - Quickstart

Configure Claude Code permissions and sandboxing in under 5 minutes with this quickstart guide. You will learn how to choose the right permission mode, define allow/deny rules in settings.json, and enable protection against prompt injections.

Claude Code permission security is a set of mechanisms - permission modes, allow/deny rules, and sandboxing - that protect your development environment against unauthorized executions. many incidents related to AI agents stem from misconfigured permissions. This guide lets you secure your installation in 5 concrete steps, without unnecessary theory.

What are the prerequisites before configuring permissions?

Before starting, verify that you have the following:

• Claude Code or higher installed (step-by-step installation guide)
• Node.js 22 LTS or higher
• A terminal with access to the ~/.claude/ directory
• 5 minutes of your time

Run this command to confirm your version:

claude --version

The displayed number must be 2.1.0 or higher. If not, consult the installation quickstart to update.

Key takeaway: without Claude Code+ and Node.js 22, some sandboxing options will not work.

How to choose the right permission mode?

Claude Code offers 6 permission modes via the --permission-mode flag. Each mode defines the level of autonomy granted to the agent. In practice, many use default mode daily.

Launch Claude Code in the desired mode with --permission-mode:

# Default mode
claude

# acceptEdits mode - for everyday development
claude --permission-mode acceptEdits

# Plan mode - analysis before action
claude --permission-mode plan

# In session, use Shift+Tab or Alt+M to cycle through modes

default mode is recommended if you are discovering the tool. It asks for confirmation before every sensitive action, allowing you to understand the agent's behavior. In session, use Shift+Tab or Alt+M to cycle through permission modes. Consult the first conversations tutorial to see these modes in action.

Key takeaway: start in default mode to learn, use Shift+Tab/Alt+M to cycle through modes, then switch to acceptEdits once comfortable.

How to configure allow/deny rules in settings.json in 5 minutes?

Allow/deny rules in settings.json are Claude Code's granular control mechanism. They let you allow or block specific commands, independently of the active permission mode. these rules reduce unwanted executions by 95%.

Open the global configuration file:

# Create the directory if needed
mkdir -p ~/.claude

# Edit the settings.json file
nano ~/.claude/settings.json

Add this base configuration to secure your environment:

{
 "permissions": {
 "allow": [
 "Read",
 "Glob",
 "Grep",
 "Bash(npm test)",
 "Bash(npm run lint)",
 "Bash(git status)",
 "Bash(git diff)"
 ],
 "deny": [
 "Bash(rm -rf *)",
 "Bash(curl * | bash)",
 "Bash(git push --force)",
 "Bash(chmod 777 *)"
 ]
 }
}

In practice, each rule follows the Tool(pattern) format. The * wildcard works like a glob. Here are the most commonly used patterns:

You can also define project-level rules. Create a .claude/settings.json file at the root of your repository for project-specific rules. Project deny rules are merged with global rules, while project allow rules cannot exceed global permissions.

For further configuration, consult the advanced permissions tips that cover complex patterns and edge cases.

Key takeaway: deny rules always take priority over allow rules - place your critical prohibitions first.

How to enable sandboxing with Seatbelt or bubblewrap?

Sandboxing is an isolation layer that prevents Claude Code from accessing files and networks outside the authorized perimeter. Seatbelt is the native mechanism on macOS, bubblewrap on Linux. Sandboxing reduces the attack surface by 85% benchmarks (2025).

Which sandbox for which system?

Verify that sandboxing is active on your machine:

# macOS - check Seatbelt
# Sandboxing is enabled by default on macOS and Linux

# Linux - install bubblewrap if missing
sudo apt install bubblewrap -y
# Sandboxing is enabled by default on macOS and Linux

If the issue persists and sandboxing does not appear as active, run the full diagnostic command:

claude --version

This command displays the state of each security layer: permissions, sandbox, and network. A healthy result shows sandbox: active in green. Specifically, the sandbox restricts file system access to the current working directory and ~/.claude/.

To resolve common sandboxing issues, consult the common permission errors page that details solutions for the 10 most frequent blockers.

Key takeaway: sandboxing is your safety net - never disable it in production, even if you are using Bypass mode.

How to protect against prompt injections in 5 minutes?

Protection against prompt injections is a mechanism that prevents malicious content (files, web pages, API results) from hijacking Claude Code's behavior. In 2026, prompt injections remain the number one attack vector against AI agents.

Configure the protections in your settings.json:

{
 "permissions": {
 "deny": [
 "Bash(curl * | bash)",
 "Bash(wget * -O - | sh)",
 "Bash(eval *)",
 "Bash(source <(*))"
 ]
 }
}

Here are the most common injection vectors and how Claude Code blocks them:

1. Booby-trapped files - a .md or .txt file containing hidden instructions. Normal mode shows you the content before execution.
2. Command results - a curl command that returns execution instructions. Deny rules block dangerous pipes.
3. Compromised dependencies - a package.json with malicious postinstall scripts. Add Bash(npm install *) to deny and use Bash(npm install --ignore-scripts) in allow.
4. External MCP context - an MCP server injecting instructions. Consult the MCP quickstart to secure your connections.

SFEIR Institute best practices for AI agent security include systematically verifying results before execution. You will find concrete examples of secure conversations that illustrate how to identify an injection attempt.

Key takeaway: the combination of Plan mode + deny rules + sandboxing provides defense in depth against 98% of known injections.

How to verify everything is working?

Run this verification script in a single command:

claude --version

You should get these results:

If any point shows a warning, revisit the corresponding step. For complex cases, the complete permissions and security guide covers each parameter in detail.

Then test that a blocked command is properly rejected:

# This command should be blocked by your deny rules
claude -p "execute rm -rf /"

Claude Code should display a clear rejection message. If the command passes, your deny rules are not loaded - check the settings.json file path.

To master the slash commands that facilitate permission navigation, consult the slash commands tutorial and the associated examples.

Key takeaway: claude --version is your diagnostic command - run it after every settings.json modification.

What are the recommended settings for your profile?

Your ideal configuration depends on your context. Here are the typical profiles and associated settings:

In practice, the "Solo developer" profile covers 70% of daily use cases. Copy this complete configuration to get started:

{
 "permissions": {
 "allow": [
 "Read",
 "Write",
 "Glob",
 "Grep",
 "Bash(npm *)",
 "Bash(git *)",
 "Bash(node *)"
 ],
 "deny": [
 "Bash(rm -rf *)",
 "Bash(curl * | *)",
 "Bash(git push --force *)",
 "Bash(eval *)",
 "Bash(chmod 777 *)"
 ]
 }
}

To deepen Claude Code security, SFEIR Institute offers the one-day Claude Code training. You will practice permission configuration on real cases, with labs dedicated to sandboxing and allow/deny rules.

If you want to go further, the AI-Augmented Developer training (2 days) covers secure integration of AI agents into your complete workflow, and the AI-Augmented Developer - Advanced training (1 day) covers advanced security strategies for CI/CD pipelines.

Key takeaway: adapt your permissions to your context - too restrictive slows productivity, too permissive exposes you to risks.

What's next?

You have secured Claude Code in 5 minutes. Here are the next steps to go further:

1. Explore the complete permissions and security guide to master advanced configurations
2. Consult the permissions tips to optimize your allow/deny rules
3. Avoid the pitfalls listed in common permission errors
4. Configure your MCP servers securely with the MCP quickstart
5. Practice with conversation examples to test your rules in real conditions