Fine-grained HTTP Filtering for Claude Code Posted on: September 12, 2025 Overview As coding AI agents like Claude become more powerful, security and governance tools lag behind, leading to risks such as agents performing destructive actions, leaking sensitive info, or operating with excessive authority. Many developers run these agents with overly permissive settings (e.g., claude --dangerously-skip-permissions), creating security concerns especially in important organizations. To address this, httpjail is introduced—a tool to enforce default-deny HTTP(S) policies for dev tools and AI agents, allowing scripting of flexible rules in JavaScript or shell, logging every request, and keeping network egress scoped within your policy. --- Risks Mitigated by httpjail | Risk | Example | |--------------------------------|--------------------------------------------| | Agents performing destructive actions | Deleting your database | | Agents leaking sensitive information | Exposing API keys or credentials | | Agents operating with more authority | Pushing directly to main instead of PR | Agents may violate policies accidentally or maliciously (e.g., prompt injection). --- What is httpjail? Implements an HTTP(S) interceptor alongside process-level network isolation. Default allows all DNS (udp:53) but blocks all other non-HTTP(S) traffic. Rules are JavaScript expressions or shell scripts instead of fixed firewall rule syntax. More flexible and easier to use than traditional IP-based firewall rules. Example Use Cases Block all HTTP requests except LLM API traffic (e.g., api.anthropic.com): Allow only GET requests (make internet read-only): Allow hosts only from a whitelist in a file: --- How httpjail Works Setup Modes Linux (Strong mode): Uses network namespaces, nftables redirects. Runs with dropped privileges (setuid to the invoking user). macOS (Weak mode): Uses environment variables HTTPPROXY and HTTPSPROXY. Relies on process cooperation to respect proxy settings, not a full jail. Interception Acts as a proxy on ports 8080/8443. Evaluates user-defined JS or shell rules on each HTTP(S) request. Allows or blocks requests accordingly. TLS Interception Performs full TLS interception to inspect and filter HTTPS traffic. Generates a self-signed Certificate Authority (CA) stored at ~/.config/httpjail/. Dynamically generates and signs certificates per-host using a shared ECDSA P-256 key. Supports transparent proxy mode and explicit proxy mode to handle TLS CONNECT tunnels. Automatically sets environment variables to inject trust for common tools (OpenSSL, curl, Node.js, Python requests, Git). --- Jail Escapes and Limitations Weak mode (macOS): Agents can trivially bypass by ignoring proxy variables. Strong mode: Not foolproof. Agents might escape via filesystem-level exploits such as creating containers outside the network namespace (via Docker socket). Mitigation: Use --docker-run flag to launch containers inside the network jail. Example: Despite imperfections, the approach significantly reduces risks, especially from accidental or non-malicious escapes. --- Server Mode for Strong Isolation Recommended for maximum enforcement: Run httpjail --server on a dedicated proxy server. Configure network firewall to only allow HTTP/HTTPS traffic to the