[DOCS] Network docs should warn that untrusted LLM proxies can modify Claude Code request context
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://code.claude.com/docs/en/network-config
https://code.claude.com/docs/en/data-usage
https://code.claude.com/docs/en/security
https://code.claude.com/docs/en/llm-gateway
https://code.claude.com/docs/en/env-vars
Section/Topic
Proxy and LLM gateway trust boundary for request integrity, system prompts, and tool definitions
Current Documentation
The data-usage page currently says:
Claude Code runs locally. To interact with the LLM, Claude Code sends data over the network. This data includes all user prompts and model outputs, encrypted in transit via TLS 1.2+. Claude Code is compatible with most popular VPNs and LLM proxies.
The network-config page currently says:
Claude Code supports various enterprise network and security configurations through environment variables. This includes routing traffic through corporate proxy servers, trusting custom Certificate Authorities (CA), and authenticating with mutual Transport Layer Security (mTLS) certificates for enhanced security.
It also documents standard proxy variables:
HTTPS_PROXYHTTP_PROXYNO_PROXY
The security page documents prompt-injection protections, user responsibility, permission prompts, and best practices for untrusted content.
What's Wrong or Missing?
The docs document how to configure proxies and say Claude Code is compatible with LLM proxies, but they do not clearly describe the request-integrity trust boundary.
An LLM proxy or gateway that terminates TLS and forwards Claude API requests is not just a transport detail. Depending on how it is configured, it may be able to observe or modify request payloads, including:
- user prompts;
- built-in and user-supplied system prompt content;
- tool definitions;
- beta headers and feature-specific request parameters;
- model names and routing;
- prior conversation history included in each request.
The current docs do warn about prompt injection from untrusted content and recommend reviewing tool actions, but they do not clearly warn that an untrusted proxy/gateway itself can become a request-modifying actor. This is important because the data-usage page's "compatible with most popular VPNs and LLM proxies" wording could be read as purely operational compatibility, without making the security trust boundary obvious.
Suggested Improvement
Add a warning or "Trust boundary" subsection to network-config, data-usage, or llm-gateway.
Suggested coverage:
- Distinguish transport proxies, TLS-inspection proxies, and LLM/API gateways.
- State that users should route Claude Code through only proxies/gateways they control or trust.
- Explain that a proxy/gateway that can inspect or rewrite API traffic may be able to modify prompts, system prompts, tools, model routing, or other request fields.
- Recommend organizational controls for trusted gateways:
- change control for gateway prompt/request transforms;
- audit logging for request rewrites;
- restricted admin access;
- explicit user/admin disclosure when request transformations are enabled.
- Cross-link from
ANTHROPIC_BASE_URL,HTTP_PROXY,HTTPS_PROXY, and LLM gateway docs.
Possible wording:
Use only proxies and LLM gateways that you control or trust. A gateway that terminates TLS or rewrites Anthropic API requests can see or modify request payloads, including user prompts, system prompts, tool definitions, model routing, and conversation history. Treat such gateways as part of your trusted computing base and audit any request-transformation rules.
Impact
Medium - Makes feature difficult to understand
Additional Context
This came up in the public discussion on:
A commenter asked whether a proxy could return malicious system-prompt content. A commenter with an Anthropic company profile replied:
From a security standpoint, we do not recommend using Claude Code through an untrusted proxy. A proxy that you do not control or trust could unsafely modify the system prompt for any request that Claude Code makes to the Claude API.
That guidance is useful, but I could not find it stated in the current proxy, LLM gateway, data-usage, or security docs.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗