such wow doge
AI WOW

Claude Code: allow web fetch on all domains

(updated )

By default, Claude Code asks for permission every time it fetches content from a domain you haven't already whitelisted.

I went along with this for a while, gradually adding more and more domains to the global whitelist in ~/.claude/settings.json, while omitting domains I consider higher risk (e.g. github.com).

On reflection, I think that the "always ask if not whitelisted" default doesn't make sense for most users:

  • Key reason: permission fatigue kills the security value. You quickly start hitting enter reflexively on these prompts. You're never actually going to check each web page. So the prompts do roughly nothing other than slow you down. The most likely case where it might catch something: if there were an obviously questionable imitation domain (e.g. github.net) that you managed to notice before hitting "Enter".
  • Prompt-injection attacks are scary in theory, but very rare in the wild (so far). For now, I'm more worried that Claude will take some destructive action that you I didn't intend due to it's misjudgement/my miscommunication. An unexpected WebFetch probably won't be the cause of that.
  • Unwanted agent behaviour is better mitigated by PreToolUse hooks, sandboxing, or containerisation.
  • The cost of this default—constant interruptions—is very high.

So now, my settings.json just has:

{
  "permissions": {
    "allow": [
      "WebFetch",
      // ...
    ]
  }
}

See also: my permissions whitelist.