Permissions and Security

Claude Code can read files, execute commands, install packages, and modify your code. That's powerful, but also dangerous if you don't configure it properly.

The Permission Model

Claude Code has a granular permission system:

Action	Default Permission
Read files	Allowed
Edit files	Asks permission
Create files	Asks permission
Execute commands	Asks permission
Install packages	Asks permission
Network commands	Asks permission

Every time Claude wants to do something that requires permission, it asks you. You can approve once or add to the allowed list.

Configure Permissions Intelligently

View Current Permissions

/permissions

This shows which commands Claude can execute without asking.

Add Safe Permissions

For common workflows, add these permissions:

# Testing - safe to add
npm run test
npm run lint
pnpm test
pnpm lint
 
# Build - generally safe
npm run build
pnpm build
 
# Git read-only - safe
git status
git diff
git log

Permissions You Should NEVER Add

# DANGEROUS - never allow without asking
rm -rf
npm publish
git push --force
sudo *
curl | bash

The YOLO Flag: --dangerously-skip-permissions

When you start Claude with:

claude --dangerously-skip-permissions

Claude can do EVERYTHING without asking. This is real "YOLO mode."

When to Use YOLO Mode

Situation	YOLO Mode?
New feature branch, non-critical code	OK
Quick prototype, will delete later	OK
Production, main branch	NEVER
Financial/medical code	NEVER
Project with secrets in .env	CAREFUL

Golden Rule of YOLO

Only use YOLO mode if you can do git reset --hard without losing anything important.

This means:

You're on a feature branch
All your important work is already committed
There are no untracked files you care about

Per-Project vs Global Configuration

Claude Code has two permission levels:

Global (~/.claude/)

Applies to ALL your projects:

# View global config
claude config --global

Add permissions here that you want everywhere (like npm run test).

Per Project (.claude/)

Applies only to this project:

# View project config
claude config

Add project-specific permissions here.

Security Best Practices

1. Start Restrictive

Don't add permissions until you need them. Better to approve manually 5 times than add a dangerous permission.

2. Always Use Branches

Before working with Claude:

git checkout -b feature/my-feature

If something goes wrong, you can delete the branch and start over.

3. Review Before Approving

When Claude asks permission to execute something, read the complete command. Don't approve blindly.

4. Don't Store Secrets in Code

If you have an .env with API keys, make sure it's in .gitignore. Claude can read files, including your secrets.

5. Use Tokens with Minimum Privilege

If you connect Claude to external services (MCPs), use tokens with minimum necessary permissions.

Mistakes That Cost Me Hours

Mistake 1: YOLO Mode on Main

The error: I left YOLO mode on and worked on main without realizing. Claude executed commands that modified core files.

The cost: 3 hours of rollback and debugging.

The lesson: NEVER YOLO on main. Create an alias: alias claudeyolo='git checkout -b temp-feature && claude --dangerously-skip-permissions'

Mistake 2: Approving npm install Without Reading

The error: Claude asked permission for npm install some-package and I approved without reading. The package had dependencies that broke other parts of the project.

The cost: 1 hour fixing package.json and cleaning node_modules.

The lesson: Always review which package it wants to install and why.

Mistake 3: Giving Global Write Permissions

The error: I added global permissions for Claude to write to any file without asking. In another project, it overwrote an important config file.

The cost: 30 minutes figuring out which file had changed.

The lesson: Write permissions are per-project, not global.

Recommended Configuration

My per-project permission config:

{
  "permissions": {
    "allow": [
      "npm run test",
      "npm run lint",
      "npm run build",
      "pnpm test",
      "pnpm lint",
      "pnpm build",
      "git status",
      "git diff",
      "git log"
    ],
    "deny": [
      "rm -rf",
      "git push --force",
      "npm publish"
    ]
  }
}

Security Checklist

Before starting to work with Claude on a project:

Verify .env is in .gitignore
Create feature branch (never work on main)
Review current permissions with /permissions
Have a way to revert changes (git)
Don't use YOLO mode on critical code

Challenge: Try This

Before moving to the next lesson:

Run /permissions and review your current config
Add npm run test to allowed permissions
Create a feature branch for your next work
Verify your .env is in .gitignore

Estimated time: 5 minutes

Next Step

Now that your environment is secure, let's master the different working modes of Claude Code.

Developers