Claude Code Security — What Permissions to Give and What to Never Give
Claude Code runs real commands on your machine. Understanding its permission model is the single most important thing before you let it loose on production codebases. This guide covers the three permission modes, safe vs dangerous commands, hooks as safety nets, and best practices for teams.
Quick Reference
- →Three modes: Ask (default), Auto-Edit, Full Auto — each trades safety for speed
- →Use `claude config set allowedTools` to whitelist safe commands
- →Always deny: rm -rf, git push --force, database drops, deploy commands
- →Hooks let you intercept and validate commands before execution
- →CLAUDE.md can declare tool restrictions per-project
- →Claude Code never sends your source code to Anthropic — only prompts and responses
- →Use `.claudeignore` to keep sensitive files out of context
- →Review the permissions prompt carefully before pressing Enter
How the Permission Model Works
Claude Code is an agentic tool — it reads files, writes code, and runs shell commands on your actual machine. Unlike a chatbot that just generates text, Claude Code takes real actions. That power is what makes it useful, and it is also what makes permissions critical. Every tool invocation goes through a permission check. Some tools (like reading a file) are considered safe and run without asking. Others (like executing a shell command or writing to a file) require your approval — unless you have configured automatic permissions.
| Action Type | Default Behavior | Example |
|---|---|---|
| Read files | Automatic (no prompt) | Reading src/index.ts |
| Write/edit files | Requires approval | Modifying package.json |
| Shell commands | Requires approval | Running npm install |
| MCP tool calls | Requires approval | Calling a database MCP tool |
Reading files is considered safe because it does not modify your system. Claude Code needs to read freely to understand your codebase. If every file read required approval, the tool would be unusable.