[DOCS] Settings and sandbox docs missing `sandbox.network.deniedDomains` configuration

Resolved 💬 2 comments Opened Apr 17, 2026 by coygeek Closed Apr 29, 2026

Documentation Type

Missing documentation (feature not documented)

Documentation Location

https://code.claude.com/docs/en/settings

Section/Topic

Sandbox settings (network.allowedDomains / network.allowManagedDomainsOnly)

Current Documentation

The settings page documents the allowlist settings, but not the denylist setting added in v2.1.113:

| network.allowedDomains | Array of domains to allow for outbound network traffic. Supports wildcards (e.g., *.example.com). | ["github.com", "*.npmjs.org"] | | network.allowManagedDomainsOnly | (Managed settings only) Only allowedDomains and WebFetch(domain:...) allow rules from managed settings are respected. Domains from user, project, and local settings are ignored. Non-allowed domains are blocked automatically without prompting the user. Denied domains are still respected from all sources. Default: false | true |

Related pages also refer to the allowlist without documenting the denylist setting itself:

Network restrictions combine WebFetch permission rules with the sandbox's allowedDomains list
| sandbox.network.allowManagedDomainsOnly | When true, only allowedDomains and WebFetch(domain:...) allow rules from managed settings are respected. Non-allowed domains are blocked automatically without prompting the user. Denied domains still merge from all sources |
Domain restrictions: Only approved domains can be accessed User confirmation: New domain requests trigger permission prompts (unless allowManagedDomainsOnly is enabled, which blocks non-allowed domains automatically)

What's Wrong or Missing?

Changelog v2.1.113 added sandbox.network.deniedDomains to block specific domains even when a broader allowedDomains wildcard would otherwise allow them. The current docs mention that denied domains exist, but they do not document:

  • the setting name users need to configure
  • the expected syntax
  • how deny rules interact with allowedDomains
  • an example where a specific denied domain overrides a broader wildcard allow rule

Suggested Improvement

Add network.deniedDomains to the sandbox settings reference and cross-reference it from the permissions and sandboxing pages.

Suggested coverage:

  • document the setting name and where it belongs in the JSON structure
  • explain that matching deny entries override broader allowedDomains matches
  • clarify whether the same wildcard syntax is supported for deny entries
  • add an example such as:
{
"sandbox": {
"network": {
"allowedDomains": ["*.example.com"],
"deniedDomains": ["admin.example.com"]
}
}
}

If this property is also available through the Agent SDK sandbox config, update that reference page as well so the type definition and property table stay aligned with the settings docs.

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:

| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/settings | Sandbox settings table documents network.allowedDomains but not the new denylist setting |
| https://code.claude.com/docs/en/permissions | Explains that denied domains merge from all sources, but does not document the setting that defines them |
| https://code.claude.com/docs/en/sandboxing | Describes domain restrictions at a high level without the deniedDomains configuration |
| https://code.claude.com/docs/en/agent-sdk/typescript | SandboxNetworkConfig lists allowedDomains and allowManagedDomainsOnly but not the denylist property |

Total scope: 4 pages affected

Source: Changelog v2.1.113

Exact changelog entry:

Added sandbox.network.deniedDomains setting to block specific domains even when a broader allowedDomains wildcard would otherwise permit them

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗