Feature request: Support wildcard subdomain matching for WebFetch domain permissions
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Currently, the WebFetch(domain:...) permission rule requires exact domain matching. This means that domain:example.com does not match www.example.com, requiring users to list each subdomain variant explicitly.
Current behavior:
"allow": [
"WebFetch(domain:better-auth.com)"
]
This does NOT allow fetching https://www.better-auth.com/... - Claude still prompts for permission.
Proposed Solution
Expected behavior:
Support wildcard syntax like WebFetch(domain:*.example.com) or have domain:example.com automatically include common subdomains like www.example.com.
Workaround:
Currently, users must explicitly list all subdomain variants:
"allow": [
"WebFetch(domain:better-auth.com)",
"WebFetch(domain:www.better-auth.com)"
]
Alternative Solutions
_No response_
Priority
Medium - Would be very helpful
Feature Category
Configuration and settings
Use Case Example
_No response_
Additional Context
Note:
Wildcard subdomain matching (e.g., *.gcr.io) is already supported in Claude Code on the web for default allowed domains. It would be helpful to extend this capability to local WebFetch permission rules.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗