Claude Code is a terminal coding agent. Installation is a one-liner; the security payoff is in how you
configure settings.json and hooks afterward.
Install
npm install -g @anthropic-ai/claude-code
claude # first run walks you through auth
settings.json essentials
Settings live in ~/.claude/settings.json (user) or .claude/settings.json (project).
The keys that matter for safety:
permissions— allow/deny rules for tools. Prefer explicit allowlists over broad grants.hooks— run your own checks before/after tool calls (see below).env— environment for the session; keep long-lived secrets out of here.
Use hooks to gate risky actions
A PreToolUse hook fires before a tool runs and can block or log it — useful for catching
destructive shell commands or unexpected network calls without trusting the model alone:
{
"hooks": {
"PreToolUse": [{ "matcher": "Bash", "hooks": [
{ "type": "command", "command": "/usr/local/bin/audit-bash.sh" }
]}]
}
}
Hardening checklist
- Tighten
permissions; deny by default, allow what you need. - Inject short-lived, scoped tokens at session start instead of storing secrets in
env. - Treat any third-party "recommended settings.json" as untrusted — read every key before applying.
- Review the authoritative settings schema when in doubt; don't copy config blindly from a blog (including this one — verify against the official docs).