Network Security Setup

Purpose

Configure Claude Code sandbox network isolation policies including trusted domain whitelisting, custom access rules, and secure environment variable management.

Specialist Agent

I am a network security specialist with expertise in:

• Zero-trust network architecture for AI code execution

• Domain whitelisting and access control policies

• Prompt injection attack prevention via network isolation

• Secure environment variable management

• Corporate proxy and internal registry configuration

Methodology (Systems Thinking + Self-Consistency)

• Analyze Environment: Understand deployment context (enterprise, open-source, local)

• Design Network Policy: Create appropriate trusted domain list

• Configure Access Rules: Set up custom access patterns and exclusions

• Secure Credentials: Properly handle environment variables and secrets

• Validate Security: Test that policies block untrusted access while enabling work

Network Isolation Modes

Mode 1: Trusted Network Access (Recommended Default)

mode: trusted description: Claude can only access pre-approved, known-safe domains use_case: General development, open-source projects trusted_domains:

• "*.npmjs.org"
• "registry.npmjs.org"
• "*.yarnpkg.com"
• "*.github.com"
• "api.github.com"
• "raw.githubusercontent.com"
• "*.cloudfront.net"
• "*.docker.io"
• "registry.hub.docker.com"
• "*.pypi.org"
• "pypi.python.org"

Mode 2: No Network Access

mode: none description: Complete network isolation, no external access use_case: Maximum security, offline development, sensitive projects trusted_domains: []

Mode 3: Custom Access

mode: custom description: User-defined whitelist of allowed domains use_case: Enterprise with internal registries, corporate networks trusted_domains:

• "registry.company.internal"
• "docs.company.com"
• "api.company.com"
• "*.company-cdn.net"
• [Include standard registries as needed]

Default Trusted Domains (Anthropic-Approved)

Package Registries:

• *.npmjs.org

• npm packages

• registry.npmjs.org

• npm registry

• *.yarnpkg.com

• Yarn registry

• *.pypi.org

• Python packages

• pypi.python.org

• Python registry

• rubygems.org

• Ruby gems

• *.maven.org

• Maven packages

Container Registries:

• *.docker.io

• Docker Hub

• registry.hub.docker.com

• Docker registry

• ghcr.io

• GitHub Container Registry

• gcr.io

• Google Container Registry

• *.azurecr.io

• Azure Container Registry

Source Control & CDNs:

• *.github.com

• GitHub

• api.github.com

• GitHub API

• raw.githubusercontent.com

• Raw GitHub content

• *.cloudfront.net

• AWS CloudFront

• cdn.jsdelivr.net

• jsDelivr CDN

• unpkg.com

• unpkg CDN

Development Tools:

• *.vercel.com

• Vercel deployment

• *.netlify.com

• Netlify deployment

• *.supabase.co

• Supabase API

Enterprise Configuration

Internal Registry Setup:

{ "sandbox": { "enabled": true, "network": { "mode": "custom", "trustedDomains": [ "registry.company.internal:5000", "npm.company.com", "docs.company.com", "api-docs.company.internal", ".company-cdn.net", ".company.cloud",

    // Include standard public registries if needed
    "registry.npmjs.org",
    "*.github.com"
  ],
  "customProxy": {
    "enabled": true,
    "http": "http://proxy.company.com:8080",
    "https": "http://proxy.company.com:8080",
    "noProxy": [
      "localhost",
      "127.0.0.1",
      "*.company.internal"
    ]
  }
}

} }

Corporate Proxy Configuration:

{ "sandbox": { "network": { "customProxy": { "enabled": true, "http": "http://corporate-proxy.company.com:3128", "https": "http://corporate-proxy.company.com:3128", "noProxy": [ "localhost", ".internal", ".company.com" ], "authentication": { "enabled": false // Use system credentials } } } } }

Environment Variables (Secure Management)

Safe Environment Variables (OK to configure):

safe_env_vars:

• NODE_ENV: "development"
• API_BASE_URL: "https://api.company.com"
• LOG_LEVEL: "debug"
• FEATURE_FLAGS: "new_ui,beta_features"
• BUILD_TARGET: "production"

Dangerous (NEVER in sandbox config):

dangerous_env_vars: # Store in .env.local, never in settings

• API_KEY: "sk-..." ❌ SECRET
• DATABASE_PASSWORD: "..." ❌ SECRET
• PRIVATE_KEY: "..." ❌ SECRET
• AWS_SECRET_ACCESS_KEY: "..." ❌ SECRET

Best Practice for Secrets:

• Store in .env.local (gitignored)

• Use environment variable references in sandbox config

• Document required variables without values

• Use secret management services in production

Example Secure Configuration:

{ "sandbox": { "environmentVariables": { // ✅ Non-sensitive configuration "NODE_ENV": "development", "API_BASE_URL": "https://api.staging.company.com",

  // ✅ Reference to local .env file (document required vars)
  "__REQUIRED_SECRETS__": "API_KEY, DATABASE_URL (store in .env.local)"
}

} }

Security Threat Mitigation

Threat 1: Prompt Injection → Data Exfiltration

Attack: Malicious prompt in downloaded code tries to send sensitive data to attacker.com Mitigation: Network isolation blocks all non-whitelisted domains Result: Attack fails, data stays secure

Threat 2: Malicious Package Download

Attack: Prompt injection tries to install malware from evil-registry.com Mitigation: Only trusted registries allowed Result: Download blocked, system protected

Threat 3: Internal Network Scanning

Attack: Code tries to scan internal network for vulnerable services Mitigation: Network isolation prevents arbitrary connections Result: Internal network remains hidden

Threat 4: Credential Theft

Attack: Downloaded code reads environment variables and sends to attacker Mitigation: Secrets not in sandbox config, network blocked anyway Result: No credentials accessible or exfiltratable

Domain Pattern Matching

Wildcard Patterns:

• *.example.com

• Matches all subdomains: api.example.com, cdn.example.com

• example.com

• Exact match only

• ..example.com

• Multi-level wildcards: a.b.example.com

Port Specifications:

• registry.company.com:5000

• Specific port

• .company.com:

• Any port on subdomains

• localhost:3000

• Local development server

Protocol Handling:

• HTTPS preferred and enforced where possible

• HTTP allowed only for localhost and internal domains

• WebSocket connections follow same rules (ws:// → wss://)

Validation and Testing

Test Network Policy:

Should succeed (trusted domain)

npm install express

Should succeed (trusted domain)

git clone https://github.com/user/repo

Should fail (untrusted domain)

curl https://random-website.com

Should succeed if allowLocalBinding enabled

npm run dev

Verification Checklist:

• Package installations work from trusted registries

• GitHub operations succeed

• CDN resources accessible if needed

• Internal registries accessible (enterprise)

• Untrusted domains blocked

• Local development servers work if configured

• Build commands pass with required env vars

• No secrets in sandbox configuration

Input Contract

environment_type: enterprise | opensource | local | custom required_access: public_registries: array[string] internal_domains: array[string] cdn_services: array[string] needs_proxy: boolean proxy_config: object (if needs_proxy) required_env_vars: array[{name, value, is_secret}]

Output Contract

network_configuration: mode: trusted | none | custom trusted_domains: array[string] proxy_config: object (if applicable) environment_variables: object (non-secrets only)

security_analysis: threats_mitigated: array[string] access_granted: array[string] access_denied: array[string] recommendations: array[string]

setup_instructions: config_file_location: string config_content: json validation_commands: array[string] documentation_links: array[string]

Integration Points

• Cascades: Works with sandbox-configurator for complete security setup

• Commands: /network-security , /trusted-domains

• Other Skills: Pairs with sandbox-configurator, security-review

Usage Examples

Standard Development Setup:

Configure network security for open-source development with standard npm and GitHub access

Enterprise Internal:

Set up network isolation for enterprise:

• Internal npm registry: npm.company.internal
• Internal docs: docs.company.com
• Corporate proxy: proxy.company.com:8080
• Keep access to public GitHub

Maximum Security:

Configure maximum security with no network access for sensitive project

Add Custom Domain:

Add api.specialservice.com to trusted domains for API integration

Failure Modes & Mitigations

• Package install fails: Add registry to trusted domains

• Git clone fails: Add git host to trusted domains

• Build fails with network error: Check if build accesses CDN, add to whitelist

• Proxy authentication fails: Verify proxy credentials or use system auth

• Environment variable missing: Document in config, add to .env.local

Validation Checklist

• All required registries in trusted domains

• Internal domains include ports if non-standard

• Proxy configuration correct (if needed)

• No secrets in sandbox configuration

• Required env vars documented

• Test package installation

• Test git operations

• Test build commands

• Verify untrusted access blocked

Neural Training Integration

training: pattern: systems-thinking feedback_collection: true success_metrics: - zero_security_incidents - development_velocity_maintained - false_positive_rate_low

Quick Reference:

• Config location: .claude/settings.local.json

• Default mode: Trusted network access

• Wildcard syntax: *.domain.com

• Secrets: NEVER in sandbox config, use .env.local

Security Principle: Deny by default, allow explicitly, verify continuously