// 54 tips tagged "security"
Before deploying, tell Claude to scan your code for security issues — SQL injection, XSS, CSRF gaps, insecure defaults, hardcoded secrets, broken auth, and mass assignment risks. Claude reads your actual code, not just patterns, so it finds vulnerabilities that generic scanners miss.
When running Claude Code in automation or headless mode, pass --max-turns to cap the number of agentic steps it takes before stopping. This prevents runaway operations, controls costs, and ensures Claude finishes within a predictable budget of actions.
Restrict which tools Claude has access to with --allowedTools and --disallowedTools — make Claude read-only by blocking Edit and Write, prevent command execution by blocking Bash, or whitelist only the specific tools a CI job needs. Fine-grained control for safety-conscious workflows.
When you need to share sample data, create test fixtures, or debug with production-like records, tell Claude to sanitize the data — replacing real names, emails, phone numbers, and IDs with realistic fakes while keeping the structure, relationships, and data types intact.
Tell Claude to scan your codebase for common security vulnerabilities — SQL injection, XSS, broken authentication, insecure deserialization, and the rest of the OWASP Top 10 — and it finds the actual vulnerable lines with specific fixes, not generic advice.
Limit which tools Claude Code can use by setting allowedTools in your project settings or passing --allowedTools on the CLI — restrict to read-only for code reviews, block file writes in CI, or limit to specific MCP tools for safety.
Tell Claude which webhook provider you're integrating — Stripe, GitHub, Twilio, or any other — and it reads the docs, builds the handler with signature verification, idempotent event processing, and proper retry handling so you never miss or double-process an event.
Tell Claude to read your database schema and models, then add input validation to your API endpoints and forms — column types become type checks, NOT NULL becomes required, string lengths become max rules, and foreign keys become exists checks, all derived from the actual constraints.
Tell Claude which endpoints need protection and it reads your framework's middleware patterns to add rate limiting, response caching, and cache headers — configured per-route based on the endpoint's sensitivity and expected traffic.
Tell Claude to read your lockfile and check every dependency's license — it flags GPL packages in MIT projects, identifies unknown licenses, and spots the copyleft or commercial restrictions that could cause legal headaches before they become problems.
Add tools to your deniedTools list to create a hard block that prevents Claude from ever running them — even if you accidentally click approve. Use it for destructive commands, production databases, or anything that should never happen from your dev machine.
Tell Claude to scan your project for security vulnerabilities — SQL injection, XSS, hardcoded secrets, insecure dependencies, and missing auth checks — and it reads your actual code to produce specific, actionable findings, not generic warnings.