How to Secure Claude Code for Your Business

What Claude Code can do that requires attention

• Read any file it has access to in your working directory
• Execute terminal commands including ones that modify or delete files
• Make API calls using credentials it finds in environment variables
• Push code changes to your repository if git credentials are available
• Access any tool or MCP server configured in its environment

Safe defaults for business operators

• Run Claude Code in a dedicated working directory — not your home folder or production codebase
• Never store API keys or credentials as plain text in files within Claude's working directory
• Use read-only credentials where possible for any system Claude connects to
• Review every file change and command before allowing it to execute in production
• Keep Claude Code sessions scoped to one task at a time

What not to do

• Don't give Claude Code access to production databases during development sessions
• Don't store Stripe, AWS, or payment credentials in files Claude can read
• Don't run Claude Code as a root or admin user
• Don't allow automated Claude Code sessions without human review of the output
• Don't share Claude Code session logs that contain sensitive business or customer data

The simple question to ask before each session

What is the worst thing Claude could do with the access it has right now — and am I OK with that risk? If the answer is no, scope down the access before starting.