such wow doge
AI WOW

Claude Code: allow web fetch to all domains

By default, Claude Code asks for permission every time it fetches content from a domain you haven't already whitelisted.

I went along with this for a while, gradually adding more and more domains to the global whitelist in ~/.claude/settings.json, while omitting domains I consider higher risk (e.g. github.com).

But, on reflection, I think this approach does not pass the security:convenience tradeoff:

  • For some tasks (e.g. research), the interruptions are painfully frequent.
  • Prompt-injection attacks are scary in theory, but very rare in the wild (so far).
  • Unwanted agent behaviour is better mitigated by PreToolUse hooks.

So now, my settings.json just has:

{
  "permissions": {
    "allow": [
      "WebFetch",
      // ...
    ]
  }
}

See also: my permissions whitelist.