[DOCS] Missing configuration example for Windows WebDAV security warning

Resolved 💬 3 comments Opened Jan 18, 2026 by coygeek Closed Feb 28, 2026

Documentation Type

Missing code examples

Documentation Location

https://code.claude.com/docs/en/security

Section/Topic

The "Additional safeguards" section, specifically the warning box labeled "Windows WebDAV security risk".

Current Documentation

The documentation currently contains this warning block:

Windows WebDAV security risk: When running Claude Code on Windows, we recommend against enabling WebDAV or allowing Claude Code to access paths such as \\* that may contain WebDAV subdirectories. WebDAV has been deprecated by Microsoft%20service%20is%20deprecated) due to security risks. Enabling WebDAV may allow Claude Code to trigger network requests to remote hosts, bypassing the permission system.

What's Wrong or Missing?

While the documentation advises users against allowing access to paths such as \\*, it does not provide the concrete configuration steps to enforce this restriction. Users may not know the correct syntax for the permissions configuration, particularly regarding how to properly escape backslashes in the settings.json file to target UNC paths/WebDAV. Without a snippet, the security advice is actionable only if the user guesses the correct pattern syntax.

Suggested Improvement

Please add a code snippet immediately following the warning box that demonstrates how to explicitly deny these paths in the settings file.

Suggested addition:

To explicitly block access to these paths, add the following rule to your permissions.deny configuration in settings.json:

{
  "permissions": {
    "deny": [
      "Read(\\\\*)"
    ]
  }
}

Impact

High - Prevents users from using a feature

Additional Context

  • Providing the exact JSON syntax is crucial because escaping backslashes in JSON strings (using \\\\) is a common point of confusion.
  • This aligns with the "Safe by default" philosophy mentioned in the "Built-in protections" section of the same page.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗