Documentation — Spybara

claude-code-on-the-web.md +441 −0 created

Details

1# Claude Code on the web

3> Run Claude Code tasks asynchronously on secure cloud infrastructure

5<Note>

6 Claude Code on the web is currently in research preview.

7</Note>

9## What is Claude Code on the web?

11Claude Code on the web lets developers kick off Claude Code from the Claude app. This is perfect for:

13* **Answering questions**: Ask about code architecture and how features are implemented

14* **Bugfixes and routine tasks**: Well-defined tasks that don't require frequent steering

15* **Parallel work**: Tackle multiple bug fixes in parallel

16* **Repositories not on your local machine**: Work on code you don't have checked out locally

17* **Backend changes**: Where Claude Code can write tests and then write code to pass those tests

19Claude Code is also available on the Claude iOS app. This is perfect for:

21* **On the go**: Kick off tasks while commuting or away from laptop

22* **Monitoring**: Watch the trajectory and steer the agent's work

24Developers can also move Claude Code sessions from the Claude app to their terminal to continue tasks locally.

26## Who can use Claude Code on the web?

28Claude Code on the web is available in research preview to:

30* **Pro users**

31* **Max users**

33Coming soon to Team and Enterprise premium seat users.

35## Getting started

371. Visit [claude.ai/code](https://claude.ai/code)

382. Connect your GitHub account

393. Install the Claude GitHub app in your repositories

404. Select your default environment

415. Submit your coding task

426. Review changes and create a pull request in GitHub

44## How it works

46When you start a task on Claude Code on the web:

481. **Repository cloning**: Your repository is cloned to an Anthropic-managed virtual machine

492. **Environment setup**: Claude prepares a secure cloud environment with your code

503. **Network configuration**: Internet access is configured based on your settings

514. **Task execution**: Claude analyzes code, makes changes, runs tests, and checks its work

525. **Completion**: You're notified when finished and can create a PR with the changes

536. **Results**: Changes are pushed to a branch, ready for pull request creation

55## Moving tasks between web and terminal

57### From web to terminal

59After starting a task on the web:

611. Click the "Open in CLI" button

622. Paste and run the command in your terminal in a checkout of the repo

633. Any existing local changes will be stashed, and the remote session will be loaded

644. Continue working locally

66## Cloud environment

68### Default image

70We build and maintain a universal image with common toolchains and language ecosystems pre-installed. This image includes:

72* Popular programming languages and runtimes

73* Common build tools and package managers

74* Testing frameworks and linters

76#### Checking available tools

78To see what's pre-installed in your environment, ask Claude Code to run:

80```bash theme={null}

81check-tools

82```

84This command displays:

86* Programming languages and their versions

87* Available package managers

88* Installed development tools

90#### Language-specific setups

92The universal image includes pre-configured environments for:

94* **Python**: Python 3.x with pip, poetry, and common scientific libraries

95* **Node.js**: Latest LTS versions with npm, yarn, and pnpm

96* **Java**: OpenJDK with Maven and Gradle

97* **Go**: Latest stable version with module support

98* **Rust**: Rust toolchain with cargo

99* **C++**: GCC and Clang compilers

100

101### Environment configuration

102

103When you start a session in Claude Code on the web, here's what happens under the hood:

104

1051. **Environment preparation**: We clone your repository and run any configured Claude hooks for initialization. The repo will be cloned with the default branch on your GitHub repo. If you would like to check out a specific branch, you can specify that in the prompt.

106

1072. **Network configuration**: We configure internet access for the agent. Internet access is limited by default, but you can configure the environment to have no internet or full internet access based on your needs.

108

1093. **Claude Code execution**: Claude Code runs to complete your task, writing code, running tests, and checking its work. You can guide and steer Claude throughout the session via the web interface. Claude respects context you've defined in your `CLAUDE.md`.

110

1114. **Outcome**: When Claude completes its work, it will push the branch to remote. You will be able to create a PR for the branch.

112

113<Note>

114 Claude operates entirely through the terminal and CLI tools available in the environment. It uses the pre-installed tools in the universal image and any additional tools you install through hooks or dependency management.

115</Note>

116

117**To add a new environment:** Select the current environment to open the environment selector, and then select "Add environment". This will open a dialog where you can specify the environment name, network access level, and any environment variables you want to set.

118

119**To update an existing environment:** Select the current environment, to the right of the environment name, and select the settings button. This will open a dialog where you can update the environment name, network access, and environment variables.

120

121<Note>

122 Environment variables must be specified as key-value pairs, in [`.env` format](https://www.dotenv.org/). For example:

123

124 ```

125 API_KEY=your_api_key

126 DEBUG=true

127 ```

128</Note>

129

130### Dependency management

131

132Configure automatic dependency installation using the `sessionStart` hook:

133

134```json theme={null}

135{

136 "hooks": {

137 "sessionStart": [

138 {

139 "matcher": "",

140 "hooks": [

141 {

142 "type": "command",

143 "command": "./scripts/install_pkgs.sh"

144 }

145 ]

146 }

147 ]

148 }

149}

150```

151

152This ensures dependencies are installed automatically when a new session starts with proper network access.

153

154## Network access and security

155

156### Network policy

157

158#### GitHub proxy

159

160For security, all GitHub operations go through a dedicated proxy service that transparently handles all git interactions. Inside the sandbox, the git client authenticates using a custom-built scoped credential. This proxy:

161

162* Manages GitHub authentication securely - the git client uses a scoped credential inside the sandbox, which the proxy verifies and translates to your actual GitHub authentication token

163* Restricts git push operations to the current working branch for safety

164* Enables seamless cloning, fetching, and PR operations while maintaining security boundaries

165

166#### Security proxy

167

168Environments run behind an HTTP/HTTPS network proxy for security and abuse prevention purposes. All outbound internet traffic passes through this proxy, which provides:

169

170* Protection against malicious requests

171* Rate limiting and abuse prevention

172* Content filtering for enhanced security

173

174### Access levels

175

176By default, network access is limited to [allowlisted domains](#default-allowed-domains).

177

178You can configure custom network access, including disabling network access.

179

180### Default allowed domains

181

182When using "Limited" network access, the following domains are allowed by default:

183

184#### Anthropic Services

185

186* api.anthropic.com

187* statsig.anthropic.com

188* claude.ai

189

190#### Version Control

191

192* github.com

193* [www.github.com](http://www.github.com)

194* api.github.com

195* raw\.githubusercontent.com

196* objects.githubusercontent.com

197* codeload.github.com

198* avatars.githubusercontent.com

199* camo.githubusercontent.com

200* gist.github.com

201* gitlab.com

202* [www.gitlab.com](http://www.gitlab.com)

203* registry.gitlab.com

204* bitbucket.org

205* [www.bitbucket.org](http://www.bitbucket.org)

206* api.bitbucket.org

207

208#### Container Registries

209

210* registry-1.docker.io

211* auth.docker.io

212* index.docker.io

213* hub.docker.com

214* [www.docker.com](http://www.docker.com)

215* production.cloudflare.docker.com

216* download.docker.com

217* \*.gcr.io

218* ghcr.io

219* mcr.microsoft.com

220* \*.data.mcr.microsoft.com

221

222#### Cloud Platforms

223

224* cloud.google.com

225* accounts.google.com

226* gcloud.google.com

227* \*.googleapis.com

228* storage.googleapis.com

229* compute.googleapis.com

230* container.googleapis.com

231* azure.com

232* portal.azure.com

233* microsoft.com

234* [www.microsoft.com](http://www.microsoft.com)

235* \*.microsoftonline.com

236* packages.microsoft.com

237* dotnet.microsoft.com

238* dot.net

239* visualstudio.com

240* dev.azure.com

241* oracle.com

242* [www.oracle.com](http://www.oracle.com)

243* java.com

244* [www.java.com](http://www.java.com)

245* java.net

246* [www.java.net](http://www.java.net)

247* download.oracle.com

248* yum.oracle.com

249

250#### Package Managers - JavaScript/Node

251

252* registry.npmjs.org

253* [www.npmjs.com](http://www.npmjs.com)

254* [www.npmjs.org](http://www.npmjs.org)

255* npmjs.com

256* npmjs.org

257* yarnpkg.com

258* registry.yarnpkg.com

259

260#### Package Managers - Python

261

262* pypi.org

263* [www.pypi.org](http://www.pypi.org)

264* files.pythonhosted.org

265* pythonhosted.org

266* test.pypi.org

267* pypi.python.org

268* pypa.io

269* [www.pypa.io](http://www.pypa.io)

270

271#### Package Managers - Ruby

272

273* rubygems.org

274* [www.rubygems.org](http://www.rubygems.org)

275* api.rubygems.org

276* index.rubygems.org

277* ruby-lang.org

278* [www.ruby-lang.org](http://www.ruby-lang.org)

279* rubyforge.org

280* [www.rubyforge.org](http://www.rubyforge.org)

281* rubyonrails.org

282* [www.rubyonrails.org](http://www.rubyonrails.org)

283* rvm.io

284* get.rvm.io

285

286#### Package Managers - Rust

287

288* crates.io

289* [www.crates.io](http://www.crates.io)

290* static.crates.io

291* rustup.rs

292* static.rust-lang.org

293* [www.rust-lang.org](http://www.rust-lang.org)

294

295#### Package Managers - Go

296

297* proxy.golang.org

298* sum.golang.org

299* index.golang.org

300* golang.org

301* [www.golang.org](http://www.golang.org)

302* goproxy.io

303* pkg.go.dev

304

305#### Package Managers - JVM

306

307* maven.org

308* repo.maven.org

309* central.maven.org

310* repo1.maven.org

311* jcenter.bintray.com

312* gradle.org

313* [www.gradle.org](http://www.gradle.org)

314* services.gradle.org

315* spring.io

316* repo.spring.io

317

318#### Package Managers - Other Languages

319

320* packagist.org (PHP Composer)

321* [www.packagist.org](http://www.packagist.org)

322* repo.packagist.org

323* nuget.org (.NET NuGet)

324* [www.nuget.org](http://www.nuget.org)

325* api.nuget.org

326* pub.dev (Dart/Flutter)

327* api.pub.dev

328* hex.pm (Elixir/Erlang)

329* [www.hex.pm](http://www.hex.pm)

330* cpan.org (Perl CPAN)

331* [www.cpan.org](http://www.cpan.org)

332* metacpan.org

333* [www.metacpan.org](http://www.metacpan.org)

334* api.metacpan.org

335* cocoapods.org (iOS/macOS)

336* [www.cocoapods.org](http://www.cocoapods.org)

337* cdn.cocoapods.org

338* haskell.org

339* [www.haskell.org](http://www.haskell.org)

340* hackage.haskell.org

341* swift.org

342* [www.swift.org](http://www.swift.org)

343

344#### Linux Distributions

345

346* archive.ubuntu.com

347* security.ubuntu.com

348* ubuntu.com

349* [www.ubuntu.com](http://www.ubuntu.com)

350* \*.ubuntu.com

351* ppa.launchpad.net

352* launchpad.net

353* [www.launchpad.net](http://www.launchpad.net)

354

355#### Development Tools & Platforms

356

357* dl.k8s.io (Kubernetes)

358* pkgs.k8s.io

359* k8s.io

360* [www.k8s.io](http://www.k8s.io)

361* releases.hashicorp.com (HashiCorp)

362* apt.releases.hashicorp.com

363* rpm.releases.hashicorp.com

364* archive.releases.hashicorp.com

365* hashicorp.com

366* [www.hashicorp.com](http://www.hashicorp.com)

367* repo.anaconda.com (Anaconda/Conda)

368* conda.anaconda.org

369* anaconda.org

370* [www.anaconda.com](http://www.anaconda.com)

371* anaconda.com

372* continuum.io

373* apache.org (Apache)

374* [www.apache.org](http://www.apache.org)

375* archive.apache.org

376* downloads.apache.org

377* eclipse.org (Eclipse)

378* [www.eclipse.org](http://www.eclipse.org)

379* download.eclipse.org

380* nodejs.org (Node.js)

381* [www.nodejs.org](http://www.nodejs.org)

382

383#### Cloud Services & Monitoring

384

385* statsig.com

386* [www.statsig.com](http://www.statsig.com)

387* api.statsig.com

388* \*.sentry.io

389

390#### Content Delivery & Mirrors

391

392* \*.sourceforge.net

393* packagecloud.io

394* \*.packagecloud.io

395

396#### Schema & Configuration

397

398* json-schema.org

399* [www.json-schema.org](http://www.json-schema.org)

400* json.schemastore.org

401* [www.schemastore.org](http://www.schemastore.org)

402

403<Note>

404 Domains marked with `*` indicate wildcard subdomain matching. For example, `*.gcr.io` allows access to any subdomain of `gcr.io`.

405</Note>

406

407### Security best practices for customized network access

408

4091. **Principle of least privilege**: Only enable the minimum network access required

4102. **Audit regularly**: Review allowed domains periodically

4113. **Use HTTPS**: Always prefer HTTPS endpoints over HTTP

412

413## Security and isolation

414

415Claude Code on the web provides strong security guarantees:

416

417* **Isolated virtual machines**: Each session runs in an isolated, Anthropic-managed VM

418* **Network access controls**: Network access is limited by default, and can be disabled

419* **Credential protection**: Sensitive credentials (such as git credentials or signing keys) are never inside the sandbox with Claude Code. Authentication is handled through a secure proxy using scoped credentials

420* **Secure analysis**: Code is analyzed and modified within isolated VMs before creating PRs

421

422## Pricing and rate limits

423

424Claude Code on the web shares rate limits with all other Claude and Claude Code usage within your account. Running multiple tasks in parallel will consume more rate limits proportionately.

425

426## Limitations

427

428* **Repository authentication**: You can only move sessions from web to local when you are authenticated to the same account

429* **Platform restrictions**: Claude Code on the web only works with code hosted in GitHub. GitLab and other non-GitHub repositories cannot be used with cloud sessions

430

431## Best practices

432

4331. **Use Claude Code hooks**: Configure [sessionStart hooks](/en/docs/claude-code/hooks#sessionstart) to automate environment setup, dependency installation, and network configuration

4342. **Document requirements**: Clearly specify dependencies and commands in your `CLAUDE.md` file. If you have an `AGENTS.md` file, you can source it in your `CLAUDE.md` using `@AGENTS.md` to maintain a single source of truth.

435

436## Related resources

437

438* [Hooks configuration](/en/docs/claude-code/hooks)

439* [Settings reference](/en/docs/claude-code/settings)

440* [Security](/en/docs/claude-code/security)

441* [Data usage](/en/docs/claude-code/data-usage)

data-usage.md +16 −0

Details

55 55

56Claude Code is built on Anthropic's APIs. For details regarding our API's security controls, including our API logging procedures, please refer to compliance artifacts offered in the [Anthropic Trust Center](https://trust.anthropic.com).56Claude Code is built on Anthropic's APIs. For details regarding our API's security controls, including our API logging procedures, please refer to compliance artifacts offered in the [Anthropic Trust Center](https://trust.anthropic.com).

57 57

58### Cloud execution

60<Note>

61 The above data flow diagram and description applies to Claude Code CLI running locally on your machine. For cloud-based sessions using Claude Code on the web, see the section below.

62</Note>

64When using [Claude Code on the web](/en/docs/claude-code/claude-code-on-the-web), sessions run in Anthropic-managed virtual machines instead of locally. In cloud environments:

66* **Code storage**: Your repository is cloned to an isolated VM and automatically deleted after session completion

67* **Credentials**: GitHub authentication is handled through a secure proxy; your GitHub credentials never enter the sandbox

68* **Network traffic**: All outbound traffic goes through a security proxy for audit logging and abuse prevention

69* **Data retention**: Code and session data are subject to the retention and usage policies for your account type

70* **Session data**: Prompts, code changes, and outputs follow the same data policies as local Claude Code usage

72For security details about cloud execution, see [Security](/en/docs/claude-code/security#cloud-execution-security).

58## Telemetry services74## Telemetry services

59 75

60Claude Code connects from users' machines to the Statsig service to log operational metrics such as latency, reliability, and usage patterns. This logging does not include any code or file paths. Data is encrypted in transit using TLS and at rest using 256-bit AES encryption. Read more in the [Statsig security documentation](https://www.statsig.com/trust/security). To opt out of Statsig telemetry, set the `DISABLE_TELEMETRY` environment variable.76Claude Code connects from users' machines to the Statsig service to log operational metrics such as latency, reliability, and usage patterns. This logging does not include any code or file paths. Data is encrypted in transit using TLS and at rest using 256-bit AES encryption. Read more in the [Statsig security documentation](https://www.statsig.com/trust/security). To opt out of Statsig telemetry, set the `DISABLE_TELEMETRY` environment variable.

mcp.md +38 −0

Details

1226}1226}

1227```1227```

1228 1228

1229### Restricting MCP servers with allowlists and denylists

1230

1231In addition to providing enterprise-managed servers, administrators can control which MCP servers users are allowed to configure using `allowedMcpServers` and `deniedMcpServers` in the `managed-settings.json` file:

1232

1233* **macOS**: `/Library/Application Support/ClaudeCode/managed-settings.json`

1234* **Windows**: `C:\ProgramData\ClaudeCode\managed-settings.json`

1235* **Linux**: `/etc/claude-code/managed-settings.json`

1236

1237```json theme={null}

1238{

1239 "allowedMcpServers": [

1240 { "serverName": "github" },

1241 { "serverName": "sentry" },

1242 { "serverName": "company-internal" }

1243 ],

1244 "deniedMcpServers": [

1245 { "serverName": "filesystem" }

1246 ]

1247}

1248```

1249

1250**Allowlist behavior (`allowedMcpServers`)**:

1251

1252* `undefined` (default): No restrictions - users can configure any MCP server

1253* Empty array `[]`: Complete lockdown - users cannot configure any MCP servers

1254* List of server names: Users can only configure the specified servers

1255

1256**Denylist behavior (`deniedMcpServers`)**:

1257

1258* `undefined` (default): No servers are blocked

1259* Empty array `[]`: No servers are blocked

1260* List of server names: Specified servers are explicitly blocked across all scopes

1261

1262**Important notes**:

1263

1264* These restrictions apply to all scopes: user, project, local, and even enterprise servers from `managed-mcp.json`

1265* **Denylist takes absolute precedence**: If a server appears in both lists, it will be blocked

1266

1229<Note>1267<Note>

1230 **Enterprise configuration precedence**: The enterprise MCP configuration has the highest precedence and cannot be overridden by user, local, or project configurations when `useEnterpriseMcpConfigOnly` is enabled.1268 **Enterprise configuration precedence**: The enterprise MCP configuration has the highest precedence and cannot be overridden by user, local, or project configurations when `useEnterpriseMcpConfigOnly` is enabled.

1231</Note>1269</Note>

quickstart.md +4 −0

Details

315 <Card title="Configuration" icon="gear" href="/en/docs/claude-code/settings">315 <Card title="Configuration" icon="gear" href="/en/docs/claude-code/settings">

316 Customize Claude Code for your workflow316 Customize Claude Code for your workflow

317 </Card>317 </Card>

318

319 <Card title="Claude Code on the web" icon="cloud" href="/en/docs/claude-code/claude-code-on-the-web">

320 Run tasks asynchronously in the cloud

321 </Card>

318</CardGroup>322</CardGroup>

319 323

320## Getting help324## Getting help

sandboxing.md +196 −0 created

Details

1# Sandboxing

3> Learn how Claude Code's sandboxed bash tool provides filesystem and network isolation for safer, more autonomous agent execution.

5## Overview

7Claude Code features native sandboxing to provide a more secure environment for agent execution while reducing the need for constant permission prompts. Instead of asking permission for each bash command, sandboxing creates defined boundaries upfront where Claude Code can work more freely with reduced risk.

9The sandboxed bash tool uses OS-level primitives to enforce both filesystem and network isolation.

11## Why sandboxing matters

13Traditional permission-based security requires constant user approval for bash commands. While this provides control, it can lead to:

15* **Approval fatigue**: Repeatedly clicking "approve" can cause users to pay less attention to what they're approving

16* **Reduced productivity**: Constant interruptions slow down development workflows

17* **Limited autonomy**: Claude Code cannot work as efficiently when waiting for approvals

19Sandboxing addresses these challenges by:

211. **Defining clear boundaries**: Specify exactly which directories and network hosts Claude Code can access

222. **Reducing permission prompts**: Safe commands within the sandbox don't require approval

233. **Maintaining security**: Attempts to access resources outside the sandbox trigger immediate notifications

244. **Enabling autonomy**: Claude Code can run more independently within defined limits

26<Warning>

27 Effective sandboxing requires **both** filesystem and network isolation. Without network isolation, a compromised agent could exfiltrate sensitive files like SSH keys. Without filesystem isolation, a compromised agent could backdoor system resources to gain network access. When configuring sandboxing it is important to ensure that your configured settings do not create bypasses in these systems.

28</Warning>

30## How it works

32### Filesystem isolation

34The sandboxed bash tool restricts file system access to specific directories:

36* **Default writes behavior**: Read and write access to the current working directory and its subdirectories

37* **Default read behavior**: Read access to the entire computer, except certain denied directories

38* **Blocked access**: Cannot modify files outside the current working directory without explicit permission

39* **Configurable**: Define custom allowed and denied paths through settings

41### Network isolation

43Network access is controlled through a proxy server running outside the sandbox:

45* **Domain restrictions**: Only approved domains can be accessed

46* **User confirmation**: New domain requests trigger permission prompts

47* **Custom proxy support**: Advanced users can implement custom rules on outgoing traffic

48* **Comprehensive coverage**: Restrictions apply to all scripts, programs, and subprocesses spawned by commands

50### OS-level enforcement

52The sandboxed bash tool leverages operating system security primitives:

54* **Linux**: Uses [bubblewrap](https://github.com/containers/bubblewrap) for isolation

55* **macOS**: Uses Seatbelt for sandbox enforcement

57These OS-level restrictions ensure that all child processes spawned by Claude Code's commands inherit the same security boundaries.

59## Getting started

61### Enable sandboxing

63You can enable sandboxing by running the `/sandbox` slash command:

65```

66> /sandbox

67```

69This activates the sandboxed bash tool with default settings, allowing access to your current working directory while blocking access to sensitive system locations.

71### Configure sandboxing

73Customize sandbox behavior through your `settings.json` file. See [Settings](/en/docs/claude-code/settings#sandbox-settings) for complete configuration reference.

75<Tip>

76 **Pattern support:**

78 * Paths support absolute (`/home/user`), relative (`./src`), home directory (`~`), and wildcards (`**/*.json`)

79 * Domains support exact matches (`github.com`), wildcards (`*.npmjs.org`), and subdomains

80</Tip>

82## Security benefits

84### Protection against prompt injection

86Even if an attacker successfully manipulates Claude Code's behavior through prompt injection, the sandbox ensures your system remains secure:

88**Filesystem protection:**

90* Cannot modify critical config files such as `~/.bashrc`

91* Cannot modify system-level files in `/bin/`

92* Cannot read files that are denied in your [Claude permission settings](/en/docs/claude-code/iam#configuring-permissions)

94**Network protection:**

96* Cannot exfiltrate data to attacker-controlled servers

97* Cannot download malicious scripts from unauthorized domains

98* Cannot make unexpected API calls to unapproved services

99* Cannot contact any domains not explicitly allowed

100

101**Monitoring and control:**

102

103* All access attempts outside the sandbox are blocked at the OS level

104* You receive immediate notifications when boundaries are tested

105* You can choose to deny, allow once, or permanently update your configuration

106

107### Reduced attack surface

108

109Sandboxing limits the potential damage from:

110

111* **Malicious dependencies**: NPM packages or other dependencies with harmful code

112* **Compromised scripts**: Build scripts or tools with security vulnerabilities

113* **Social engineering**: Attacks that trick users into running dangerous commands

114* **Prompt injection**: Attacks that trick Claude into running dangerous commands

115

116### Transparent operation

117

118When Claude Code attempts to access network resources outside the sandbox:

119

1201. The operation is blocked at the OS level

1212. You receive an immediate notification

1223. You can choose to:

123 * Deny the request

124 * Allow it once

125 * Update your sandbox configuration to permanently allow it

126

127## Security Limitations

128

129* Network Sandboxing Limitations: The network filtering system operates by restricting the domains that processes are allowed to connect to. It does not otherwise inspect the traffic passing through the proxy and users are responsible for ensuring they only allow trusted domains in their policy.

130

131<Warning>

132 Users should be aware of potential risks that come from allowing broad domains like `github.com` that may allow for data exfiltration. Also, in some cases it may be possible to bypass the network filtering through [domain fronting](https://en.wikipedia.org/wiki/Domain_fronting).

133</Warning>

134

135* Privilege Escalation via Unix Sockets: The `allowUnixSockets` configuration can inadvertently grant access to powerful system services that could lead to sandbox bypasses. For example, if it is used to allow access to `/var/run/docker.sock` this would effectively grant access to the host system through exploiting the docker socket. Users are encouraged to carefully consider any unix sockets that they allow through the sandbox.

136* Filesystem Permission Escalation: Overly broad filesystem write permissions can enable privilege escalation attacks. Allowing writes to directories containing executables in `$PATH`, system configuration directories, or user shell configuration files (`.bashrc`, `.zshrc`) can lead to code execution in different security contexts when other users or system processes access these files.

137* Linux Sandbox Strength: The Linux implementation provides strong filesystem and network isolation but includes an `enableWeakerNestedSandbox` mode that enables it to work inside of Docker environments without privileged namespaces. This option considerably weakens security and should only be used incases where additional isolation is otherwise enforced.

138

139## Advanced usage

140

141### Custom proxy configuration

142

143For organizations requiring advanced network security, you can implement a custom proxy to:

144

145* Decrypt and inspect HTTPS traffic

146* Apply custom filtering rules

147* Log all network requests

148* Integrate with existing security infrastructure

149

150```json theme={null}

151{

152 "sandbox": {

153 "httpProxyPort": 8080,

154 "socksProxyPort": 8081,

155 }

156}

157```

158

159### Integration with existing security tools

160

161The sandboxed bash tool works alongside:

162

163* **IAM policies**: Combine with [permission settings](/en/docs/claude-code/iam) for defense-in-depth

164* **Development containers**: Use with [devcontainers](/en/docs/claude-code/devcontainer) for additional isolation

165* **Enterprise policies**: Enforce sandbox configurations through [managed settings](/en/docs/claude-code/settings#settings-precedence)

166

167## Best practices

168

1691. **Start restrictive**: Begin with minimal permissions and expand as needed

1702. **Monitor logs**: Review sandbox violation attempts to understand Claude Code's needs

1713. **Use environment-specific configs**: Different sandbox rules for development vs. production contexts

1724. **Combine with permissions**: Use sandboxing alongside IAM policies for comprehensive security

1735. **Test configurations**: Verify your sandbox settings don't block legitimate workflows

174

175## Open source

176

177The sandbox runtime is available as an open source npm package for use in your own agent projects. This enables the broader AI agent community to build safer, more secure autonomous systems. This can also be used to sandbox other programs you may wish to run. For example, to sandbox an MCP server you could run:

178

179```bash theme={null}

180npx @anthropic-ai/sandbox-runtime <command-to-sandbox>

181```

182

183For implementation details and source code, visit the [GitHub repository](https://github.com/anthropic-experimental/sandbox-runtime).

184

185## Limitations

186

187* **Performance overhead**: Minimal, but some filesystem operations may be slightly slower

188* **Compatibility**: Some tools that require specific system access patterns may need configuration adjustments, or may even need to be run outside of the sandbox

189* **Platform support**: Currently supports Linux and macOS; Windows support planned

190

191## See also

192

193* [Security](/en/docs/claude-code/security) - Comprehensive security features and best practices

194* [IAM](/en/docs/claude-code/iam) - Permission configuration and access control

195* [Settings](/en/docs/claude-code/settings) - Complete configuration reference

196* [CLI reference](/en/docs/claude-code/cli-reference) - Command-line options including `-sb`

security.md +15 −0

Details

20 20

21To mitigate risks in agentic systems:21To mitigate risks in agentic systems:

22 22

23* **Sandboxed bash tool**: [Sandbox](/en/docs/claude-code/sandboxing) bash commands with filesystem and network isolation, reducing permission prompts while maintaining security. Enable with `/sandbox` to define boundaries where Claude Code can work autonomously

23* **Write access restriction**: Claude Code can only write to the folder where it was started and its subfolders—it cannot modify files in parent directories without explicit permission. While Claude Code can read files outside the working directory (useful for accessing system libraries and dependencies), write operations are strictly confined to the project scope, creating a clear security boundary24* **Write access restriction**: Claude Code can only write to the folder where it was started and its subfolders—it cannot modify files in parent directories without explicit permission. While Claude Code can read files outside the working directory (useful for accessing system libraries and dependencies), write operations are strictly confined to the project scope, creating a clear security boundary

24* **Prompt fatigue mitigation**: Support for allowlisting frequently used safe commands per-user, per-codebase, or per-organization25* **Prompt fatigue mitigation**: Support for allowlisting frequently used safe commands per-user, per-codebase, or per-organization

25* **Accept Edits mode**: Batch accept multiple edits while maintaining permission prompts for commands with side effects26* **Accept Edits mode**: Batch accept multiple edits while maintaining permission prompts for commands with side effects

84 85

85See [here](/en/docs/claude-code/ide-integrations#security) for more information on the security of running Claude Code in an IDE.86See [here](/en/docs/claude-code/ide-integrations#security) for more information on the security of running Claude Code in an IDE.

86 87

88## Cloud execution security

90When using [Claude Code on the web](/en/docs/claude-code/claude-code-on-the-web), additional security controls are in place:

92* **Isolated virtual machines**: Each cloud session runs in an isolated, Anthropic-managed VM

93* **Network access controls**: Network access is limited by default and can be configured to be disabled or allow only specific domains

94* **Credential protection**: Authentication is handled through a secure proxy that uses a scoped credential inside the sandbox, which is then translated to your actual GitHub authentication token

95* **Branch restrictions**: Git push operations are restricted to the current working branch

96* **Audit logging**: All operations in cloud environments are logged for compliance and audit purposes

97* **Automatic cleanup**: Cloud environments are automatically terminated after session completion

99For more details on cloud execution, see [Claude Code on the web](/en/docs/claude-code/claude-code-on-the-web).

100

87## Security best practices101## Security best practices

88 102

89### Working with sensitive code103### Working with sensitive code

111 125

112## Related resources126## Related resources

113 127

128* [Sandboxing](/en/docs/claude-code/sandboxing) - Filesystem and network isolation for bash commands

114* [Identity and Access Management](/en/docs/claude-code/iam) - Configure permissions and access controls129* [Identity and Access Management](/en/docs/claude-code/iam) - Configure permissions and access controls

115* [Monitoring usage](/en/docs/claude-code/monitoring-usage) - Track and audit Claude Code activity130* [Monitoring usage](/en/docs/claude-code/monitoring-usage) - Track and audit Claude Code activity

116* [Development containers](/en/docs/claude-code/devcontainer) - Secure, isolated environments131* [Development containers](/en/docs/claude-code/devcontainer) - Secure, isolated environments

settings.md +55 −1

Details

53`settings.json` supports a number of options:53`settings.json` supports a number of options:

54 54

55| Key | Description | Example |55| Key | Description | Example |

56| :--------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------- |56| :--------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------- |

57| `apiKeyHelper` | Custom script, to be executed in `/bin/sh`, to generate an auth value. This value will be sent as `X-Api-Key` and `Authorization: Bearer` headers for model requests | `/bin/generate_temp_api_key.sh` |57| `apiKeyHelper` | Custom script, to be executed in `/bin/sh`, to generate an auth value. This value will be sent as `X-Api-Key` and `Authorization: Bearer` headers for model requests | `/bin/generate_temp_api_key.sh` |

58| `cleanupPeriodDays` | How long to locally retain chat transcripts based on last activity date (default: 30 days) | `20` |58| `cleanupPeriodDays` | How long to locally retain chat transcripts based on last activity date (default: 30 days) | `20` |

59| `env` | Environment variables that will be applied to every session | `{"FOO": "bar"}` |59| `env` | Environment variables that will be applied to every session | `{"FOO": "bar"}` |

72| `useEnterpriseMcpConfigOnly` | When set in managed-settings.json, restricts MCP servers to only those defined in managed-mcp.json. See [Enterprise MCP configuration](/en/docs/claude-code/mcp#enterprise-mcp-configuration) | `true` |72| `useEnterpriseMcpConfigOnly` | When set in managed-settings.json, restricts MCP servers to only those defined in managed-mcp.json. See [Enterprise MCP configuration](/en/docs/claude-code/mcp#enterprise-mcp-configuration) | `true` |

73| `allowedMcpServers` | When set in managed-settings.json, allowlist of MCP servers users can configure. Undefined = no restrictions, empty array = lockdown. Applies to all scopes. Denylist takes precedence. See [Enterprise MCP configuration](/en/docs/claude-code/mcp#enterprise-mcp-configuration) | `[{ "serverName": "github" }]` |

74| `deniedMcpServers` | When set in managed-settings.json, denylist of MCP servers that are explicitly blocked. Applies to all scopes including enterprise servers. Denylist takes precedence over allowlist. See [Enterprise MCP configuration](/en/docs/claude-code/mcp#enterprise-mcp-configuration) | `[{ "serverName": "filesystem" }]` |

73| `awsAuthRefresh` | Custom script that modifies the `.aws` directory (see [advanced credential configuration](/en/docs/claude-code/amazon-bedrock#advanced-credential-configuration)) | `aws sso login --profile myprofile` |75| `awsAuthRefresh` | Custom script that modifies the `.aws` directory (see [advanced credential configuration](/en/docs/claude-code/amazon-bedrock#advanced-credential-configuration)) | `aws sso login --profile myprofile` |

74| `awsCredentialExport` | Custom script that outputs JSON with AWS credentials (see [advanced credential configuration](/en/docs/claude-code/amazon-bedrock#advanced-credential-configuration)) | `/bin/generate_aws_grant.sh` |76| `awsCredentialExport` | Custom script that outputs JSON with AWS credentials (see [advanced credential configuration](/en/docs/claude-code/amazon-bedrock#advanced-credential-configuration)) | `/bin/generate_aws_grant.sh` |

75 77

85| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode from being activated. This disables the `--dangerously-skip-permissions` command-line flag. See [managed policy settings](iam#enterprise-managed-policy-settings) | `"disable"` |87| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode from being activated. This disables the `--dangerously-skip-permissions` command-line flag. See [managed policy settings](iam#enterprise-managed-policy-settings) | `"disable"` |

86 88

89### Sandbox settings

91Configure advanced sandboxing behavior. Sandboxing isolates bash commands from your filesystem and network. See [Sandboxing](/en/docs/claude-code/sandboxing) for details.

93**Filesystem and network restrictions** are configured via Read, Edit, and WebFetch permission rules, not via these sandbox settings.

95| Keys | Description | Example |

96| :-------------------------- | :------------------------------------------------------------------------------------------------------------ | :------------------------ |

97| `enabled` | Enable bash sandboxing (macOS/Linux only). Default: false | `true` |

98| `autoAllowBashIfSandboxed` | Auto-approve bash commands when sandboxed. Default: true | `true` |

99| `excludedCommands` | Commands that should run outside of the sandbox | `["git", "docker"]` |

100| `network.allowUnixSockets` | Unix socket paths accessible in sandbox (for SSH agents, etc.) | `["~/.ssh/agent-socket"]` |

101| `network.allowLocalBinding` | Allow binding to localhost ports (MacOS only). Default: false | `true` |

102| `network.httpProxyPort` | HTTP proxy port used if you wish to bring your own proxy. If not specified, Claude will run its own proxy. | `8080` |

103| `network.socksProxyPort` | SOCKS5 proxy port used if you wish to bring your own proxy. If not specified, Claude will run its own proxy. | `8081` |

104| `enableWeakerNestedSandbox` | Enable weaker sandbox for unprivileged Docker environments (Linux only). **Reduces security.** Default: false | `true` |

105

106**Configuration example:**

107

108```json theme={null}

109{

110 "sandbox": {

111 "enabled": true,

112 "autoAllowBashIfSandboxed": true,

113 "excludedCommands": ["docker"],

114 "network": {

115 "allowUnixSockets": [

116 "/var/run/docker.sock"

117 ],

118 "allowLocalBinding": true

119 }

120 },

121 "permissions": {

122 "deny": [

123 "Read(.envrc)",

124 "Read(~/.aws/**)"

125 ]

126 }

127}

128```

129

130**Filesystem access** is controlled via Read/Edit permissions:

131

132* Read deny rules block file reads in sandbox

133* Edit allow rules permit file writes (in addition to the defaults, e.g. the current working directory)

134* Edit deny rules block writes within allowed paths

135

136**Network access** is controlled via WebFetch permissions:

137

138* WebFetch allow rules permit network domains

139* WebFetch deny rules block network domains

140

87### Settings precedence141### Settings precedence

88 142

89Settings are applied in order of precedence (highest to lowest):143Settings are applied in order of precedence (highest to lowest):

slash-commands.md +1 −0

Details

24| `/permissions` | View or update [permissions](/en/docs/claude-code/iam#configuring-permissions) |24| `/permissions` | View or update [permissions](/en/docs/claude-code/iam#configuring-permissions) |

25| `/pr_comments` | View pull request comments |25| `/pr_comments` | View pull request comments |

26| `/review` | Request code review |26| `/review` | Request code review |

27| `/sandbox` | Enable sandboxed bash tool with filesystem and network isolation for safer, more autonomous execution |

27| `/rewind` | Rewind the conversation and/or code |28| `/rewind` | Rewind the conversation and/or code |

28| `/status` | Open the Settings interface (Status tab) showing version, model, account, and connectivity |29| `/status` | Open the Settings interface (Status tab) showing version, model, account, and connectivity |

29| `/terminal-setup` | Install Shift+Enter key binding for newlines (iTerm2 and VSCode only) |30| `/terminal-setup` | Install Shift+Enter key binding for newlines (iTerm2 and VSCode only) |

vs-code.md +2 −0

Details

2 2

3> Use Claude Code with Visual Studio Code through our native extension or CLI integration3> Use Claude Code with Visual Studio Code through our native extension or CLI integration

4 4

5<img src="https://mintcdn.com/anthropic-claude-docs/Xfpgr-ckk38MZnw3/images/vs-code-extension-interface.jpg?fit=max&auto=format&n=Xfpgr-ckk38MZnw3&q=85&s=600835067c8b03557a0529978e3f0261" alt="Claude Code VS Code Extension Interface" data-og-width="2500" width="2500" data-og-height="1155" height="1155" data-path="images/vs-code-extension-interface.jpg" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/anthropic-claude-docs/Xfpgr-ckk38MZnw3/images/vs-code-extension-interface.jpg?w=280&fit=max&auto=format&n=Xfpgr-ckk38MZnw3&q=85&s=c11a25932f84ca58124a368156b476d2 280w, https://mintcdn.com/anthropic-claude-docs/Xfpgr-ckk38MZnw3/images/vs-code-extension-interface.jpg?w=560&fit=max&auto=format&n=Xfpgr-ckk38MZnw3&q=85&s=3642697ed4d8a6c02396c403bf7aae44 560w, https://mintcdn.com/anthropic-claude-docs/Xfpgr-ckk38MZnw3/images/vs-code-extension-interface.jpg?w=840&fit=max&auto=format&n=Xfpgr-ckk38MZnw3&q=85&s=fb3cb16e752060fbeb0f5e8ba775798b 840w, https://mintcdn.com/anthropic-claude-docs/Xfpgr-ckk38MZnw3/images/vs-code-extension-interface.jpg?w=1100&fit=max&auto=format&n=Xfpgr-ckk38MZnw3&q=85&s=1c6073edc8fcfcbc8e237cbf5f25cdc6 1100w, https://mintcdn.com/anthropic-claude-docs/Xfpgr-ckk38MZnw3/images/vs-code-extension-interface.jpg?w=1650&fit=max&auto=format&n=Xfpgr-ckk38MZnw3&q=85&s=152628678fe3301018b79e932706c430 1650w, https://mintcdn.com/anthropic-claude-docs/Xfpgr-ckk38MZnw3/images/vs-code-extension-interface.jpg?w=2500&fit=max&auto=format&n=Xfpgr-ckk38MZnw3&q=85&s=7ac83b2db00366c9a745380571a748ab 2500w" />

5## VS Code Extension (Beta)7## VS Code Extension (Beta)

6 8

7The VS Code extension, available in beta, lets you see Claude's changes in real-time through a native graphical interface integrated directly into your IDE. The VS Code extension makes it easier to access and interact with Claude Code for users who prefer a visual interface over the terminal.9The VS Code extension, available in beta, lets you see Claude's changes in real-time through a native graphical interface integrated directly into your IDE. The VS Code extension makes it easier to access and interact with Claude Code for users who prefer a visual interface over the terminal.

Documentation 2025-10-17 18:01 UTC to 2025-10-20 21:02 UTC