Anthropic released sandboxing capabilities for Claude Code and launched a web-based version of the tool that runs in isolated cloud environments. The company introduced these features to address security risks that arise when Claude Code writes, tests, and debugs code with broad access to developer codebases and files. According to Anthropic, “Giving Claude this much access to your codebase and files can introduce risks, especially in the case of prompt injection.” The new sandboxing approach creates pre-defined boundaries within which Claude can operate, reducing the number of permission prompts developers receive while the company claims it increases safety protections.
Anthropic built the sandboxing approach on operating system-level features that establish two security boundaries. The first boundary provides filesystem isolation, which the company states “ensures that Claude can only access or modify specific directories.” Anthropic positions this as protection against prompt-injected versions of Claude modifying sensitive system files. The second boundary implements network isolation, which the company says “ensures that Claude can only connect to approved servers.” This aims to prevent a compromised Claude instance from leaking sensitive information or downloading malware.
Source: Claude Code’s Sandboxing Architecture
Anthropic emphasizes that both isolation techniques must work together for effective protection. The company notes that without network isolation, a compromised agent could exfiltrate sensitive files like SSH keys, while without filesystem isolation, a compromised agent could escape the sandbox and gain network access.
The web-based version of Claude Code uses a custom proxy service to handle git interactions. Inside the sandbox, the git client authenticates to this service with what Anthropic describes as a custom-built scoped credential. The proxy verifies this credential and the contents of the git interaction, such as ensuring it only pushes to the configured branch, before attaching the appropriate authentication token and sending the request to GitHub.
When developers start a task on Claude Code on the web, the system clones their repository to an Anthropic-managed virtual machine. Claude then calls a secure cloud environment with the user’s code and configures internet access based on user settings. During task execution, Claude analyzes code, makes changes, runs tests, and checks its work. Upon completion, users receive notification that the task is finished and can create a pull request with the changes, which are pushed to a branch ready for review.
Anthropic positions sandboxing as a solution to limitations in traditional permission-based security systems that require constant user approval for bash commands. The company identifies several issues with the permission-based approach, including what it calls approval fatigue, where repeatedly clicking approve can cause users to pay less attention to what they’re approving. The traditional model also creates productivity slowdowns through constant interruptions and limits Claude Code’s efficiency when it must wait for approvals.
The sandboxing model addresses these issues through a different approach. According to Anthropic, the system works by defining clear boundaries that specify which directories and network hosts Claude Code can access. This reduces the number of permission prompts, as safe commands within the sandbox do not require approval. The company states that attempts to access resources outside the sandbox trigger immediate notifications, while Claude Code can run more independently within the defined limits.
Simon Willison, co-creator of Django, described his experience with preview access to the system. He characterized it as
effectively a sandboxed instance of ‘claude –dangerously-skip-permissions’ running in Anthropic’s container.
This comparison highlights how the sandboxing approach changes the permission model by establishing upfront boundaries rather than requesting approval for each individual action.
Dan Shipper, co-founder and CEO of every.to, noted the deployment architecture and accessibility of the web version. He explained that the system
lets you kick off tasks on the web or mobile—like Codex
and that
everything runs in a VM on the cloud.
Daniel San, co-founder and CTO of aitmpl.com, provided technical context on the security architecture. He distinguished between container-level and application-level protections, stating that
Docker provides system-level isolation, while Claude Code’s sandbox adds fine-grained security controls that restrict what files and network resources an agent can access during execution.
Developers interested in the technical implementation can review the sandbox runtime source code on GitHub, where Anthropic has published the experimental repository. The main Claude Code repository is also available on GitHub for those who want to examine the tool’s codebase. Anthropic has also published a course on Skilljar that demonstrates Claude Code in action for developers who want to see the tool’s capabilities before testing it themselves.
