Securing Claude Code: Best Practices for Developers

Claude Code is one of the most capable AI coding assistant security tools available — and the same capabilities that make it useful make securing Claude Code a real engineering concern. It can read your codebase, write and edit files, run shell commands, and chain multiple operations together autonomously. That power is the point — and it's also why Claude Code security deserves real engineering attention, not just a checkbox on an onboarding doc.

This guide is a practical checklist for developers actively using Claude Code. Less theory, more things you can do today. We'll also cover why a full security posture requires both config hardening and runtime protection — and why one without the other leaves meaningful gaps.

CVE-2025-59536: Why Securing Claude Code Is No Longer Theoretical

In February 2026, researchers Aviv Donenfeld and Oded Vanunu at Check Point Research disclosed CVE-2025-59536 (GitHub Advisory GHSA-jh7p-qr78-84p7). The vulnerability involved a Claude Code config file exploit — specifically, a flaw in how Claude Code processed configuration that could enable privilege escalation and unauthorized code execution.

The disclosure date was February 26, 2026. The vulnerability is patched, but its existence reframes something important: config files are a security boundary. Not just a place where you set preferences.

For tools like Claude Code — where a malformed or tampered config can influence what the agent does with shell access — the integrity of your configuration files matters as much as the integrity of your source code. Treat them accordingly.

Read our full CVE-2025-59536 breakdown →

The Attack Surface Unique to Coding Agents

Traditional developer tools have a defined and relatively narrow attack surface. A linter reads files. A test runner executes tests. Neither takes autonomous action based on what it reads.

Claude Code is different. It has autonomous shell access, can read and write across your filesystem, can invoke MCP tool integrations, and can chain actions together without a human approving each step. That's what makes it productive. It's also what makes the attack surface meaningfully larger.

The specific risks worth understanding:

Config file manipulation. As CVE-2025-59536 demonstrated, CLAUDE.md and related config files can influence agent behavior in ways that weren't intended. A malicious or corrupted config isn't just a misconfiguration — it's a potential code execution path.

Prompt injection via untrusted content. When Claude Code reads a file, a repo, a web page, or any external content, that content has the opportunity to include instructions aimed at the agent. If those instructions look plausible enough, the agent may act on them.

MCP tool abuse. Model Context Protocol integrations extend what Claude Code can do. Each integration is a new capability surface. Unreviewed or compromised MCP tools can be weaponized to exfiltrate data, modify files, or make outbound requests. See our MCP security guide for a full breakdown.

Privilege creep. Running Claude Code with elevated permissions — even briefly — means any exploitation carries an elevated blast radius.

Best Practices Checklist

These are the controls that matter most for Claude Code best practices. They layer — apply them in order of your risk tolerance and environment sensitivity.

• Pin and review CLAUDE.md and config files — treat them as code, not config. These files influence agent behavior directly. Version-control them, diff them on change, and review them with the same scrutiny you'd apply to a deployment script.
• Restrict filesystem permissions to project scope. Claude Code doesn't need access to your home directory, SSH keys, or credential stores to work on a project. Scope its working directory tightly and apply filesystem-level restrictions where your OS supports it.
• Audit MCP tool integrations before enabling. Every MCP tool you add extends Claude Code's action surface. Before enabling an integration, review what it can do, what data it accesses, and whether it makes outbound requests. See our MCP security guide for specifics.
• Never run with elevated privileges by default. Run Claude Code as a least-privilege user. If a task genuinely requires elevated access, grant it for that task explicitly — don't leave it on as a standing configuration.
• Use allowlists for shell commands if your framework supports it. Constraining which shell commands the agent is permitted to run limits what a successful prompt injection or config exploit can actually do. Allowlists are a hard boundary; monitoring alone is not.
• Monitor tool calls in real time. Know what Claude Code is doing as it does it — not just in logs you review later. Real-time monitoring gives you the ability to intervene before damage propagates. Shoofly Basic is free and built specifically for this.
• Add pre-execution blocking for production or shared environments. In higher-risk contexts — shared dev environments, CI/CD pipelines, anywhere with sensitive data — monitoring isn't enough. You want a control that can stop a bad call before it fires. That's what Shoofly Advanced is designed for.

For a full walkthrough of implementing these controls, see our guides.

Runtime Monitoring vs. Config Hardening: Why You Need Both

This is a common gap in AI coding assistant security: config hardening and runtime monitoring are often treated as alternatives. They're not.

Config hardening reduces the attack surface before runtime. Pinning CLAUDE.md, restricting permissions, auditing MCP tools — these controls shrink the set of things that can go wrong. They're proactive and work even when no one is watching.

Runtime monitoring catches what config hardening can't. Prompt injection doesn't require a misconfigured file. A tool call can carry malicious intent sourced from untrusted content the agent processed mid-session. You can't harden your way out of that class of attack — you need real-time visibility.

And then there's the gap between both: the window after the agent has formed its intent and before it executes. Config hardening operates before that window. Logging operates after. Pre-execution blocking operates inside it — intercepting the tool call synchronously, evaluating it against policy at the hook layer, and halting it if the policy is violated. The call never fires. There's no cleanup, no rollback, no incident report. Just a stopped action.

That's the architectural difference. We've written in detail about why blocking beats detection →

Quick-Start: Adding a Security Layer to Claude Code

The fastest path to runtime security for Claude Code is Shoofly Basic. It's free, installs in one command, and starts monitoring tool calls immediately. The threat policy is open and auditable — you can read what it flags and why, and modify it to fit your environment.

Install runtime security for Claude Code and OpenClaw agents:

curl -fsSL https://shoofly.dev/install.sh | bash

Once installed, Shoofly Basic hooks into your Claude Code session and monitors tool calls in real time. If a call matches a threat pattern — unexpected file access, suspicious shell commands, out-of-scope network egress — it fires an alert.

For teams or shared environments, Shoofly Advanced upgrades to full pre-execution blocking: the hook layer intercepts tool calls synchronously. A policy violation means the call never fires — not a post-facto alert, not a log entry. Advanced also adds real-time alerts via Telegram and desktop notifications, plus policy linting.

The full Claude Code security guide covers setup through advanced policy configuration. Implementation walkthroughs are in the guides section.

See plans and pricing →

Related reading: CVE-2025-59536 deep dive · Why we block instead of detect · MCP security guide · Claude Code security overview