Claude Code Can Build Your Entire Site. Here's What That Means for Security.

I went from prompt to published site in under an hour

I described what I wanted. Brand guidelines, design system, content structure. Claude built the site, connected to Vercel through its official plugin, and deployed. Live URL, branded, functional. No code written by hand. Under an hour.

Then I set up a scheduled task that fetches fresh content daily, commits it to the repo, and Vercel auto-deploys. The site updates itself every morning without me touching it.

This was not a prototype I threw away. It is a production enablement site running at work right now.

Most people still think Claude is a chatbot that gives you answers. It is not. Claude Code is an autonomous agent that opens files, writes code, runs commands, pushes to GitHub, and triggers deployments. It does the work, not just describes it.

And for security, that distinction matters a lot.

The naming confusion

There are three tabs in the Claude desktop app, and the names cause real confusion.

Chat. Standard conversation. No file access. This is what most people think "Claude" is.

Code. Interactive coding assistant with direct access to your local files. You review and approve each change. This is Claude Code in its traditional form.

Cowork. An autonomous background agent that runs tasks in a cloud VM. It can build, deploy, and maintain software independently while you do other work. Anthropic describes it as bringing "Claude Code's agentic capabilities to the desktop app for non-technical work."

That last part is slightly misleading. Cowork is not just for non-technical work. Its Dispatch feature actively routes coding tasks to Claude Code sessions. Fixing bugs, updating dependencies, running tests, opening pull requests. Dispatch handles all of it.

The common misconception is that Cowork is for knowledge work only: research, document editing, spreadsheets. In reality, it is a full coding agent running in an isolated cloud environment. It uses the same Agent SDK, the same tools, and the same models that power Claude Code's terminal experience.

Claude Code grew from a research preview to what Anthropic calls "a billion-dollar product in six months." MCP (the connector protocol) hit 100 million monthly downloads. This is not a side feature. It is the core of Anthropic's product strategy.

What the workflow actually looks like

Here is how the prompt-to-published-site pipeline works.

Building

1. Open Cowork or Claude Code on the web (claude.ai/code)
2. Connect your GitHub repository and the Vercel plugin
3. Describe what you want built, including brand guidelines and design requirements
4. Claude writes the code, starts a dev server, and previews the result in an embedded browser
5. Auto-verify kicks in: Claude takes screenshots, inspects the DOM, clicks elements, fills forms, and fixes issues it finds
6. Changes get pushed to a claude/-prefixed branch
7. The Vercel connector triggers deployment
8. Site is live

The bottleneck is the quality of your prompt, not the technical steps.

Maintaining

Claude Code supports cloud scheduled tasks that run on Anthropic's infrastructure. No machine required. Minimum interval is one hour.

The daily content fetch pattern:

1. Scheduled task fires on cron
2. Claude clones the repo to a fresh cloud VM
3. Fetches content from external APIs or websites
4. Writes or updates content files
5. Commits and pushes to the repo
6. Vercel auto-deploys

This is a fully automated publish pipeline. The site stays fresh without manual intervention.

Brand consistency

CLAUDE.md is a file at the root of your project that Claude reads at the start of every session. Put your brand guidelines, design system conventions, color tokens, component patterns, and tone-of-voice rules in there. Claude respects them across every session.

Combined with the auto-verify visual loop (screenshot, inspect, fix), Claude can literally see your site and compare it against the brand standards you defined. The Figma plugin gives it access to design files directly.

Skills (reusable markdown-defined workflows) can encode brand rules that load silently whenever Claude works on relevant files. No manual prompting needed each session.

The security model

This is where Claude Code gets interesting from a security perspective. It is meaningfully safer than most AI coding tools.

Isolated cloud VMs

Every cloud session runs in its own isolated virtual machine on Anthropic's infrastructure. Ubuntu 24.04, pre-installed with Node.js, Python, Go, Rust, Ruby, PHP, PostgreSQL, and Redis. Code and credentials never share a container between sessions.

This is a significant difference from tools like Cursor, Amp, or Cline, which execute directly on your local machine with your user permissions. A bad command in Claude Code's cloud environment affects an ephemeral VM, not your laptop.

Credential proxy

Git credentials are never inside the cloud sandbox. GitHub operations go through a dedicated proxy that uses scoped credentials. This means even if Claude Code's session were somehow compromised, your GitHub token is not exposed inside the execution environment.

For API keys and secrets, the cloud environment has its own encrypted variable storage. You configure them in the task settings, not in code.

Network restrictions

Cloud sessions have three network modes: limited (default), no internet, or full internet. The default limited mode only allows access to an allowlist covering GitHub, GitLab, Bitbucket, major package registries (npm, PyPI, RubyGems, crates.io), cloud provider APIs, and Docker registries.

This prevents a compromised or confused agent from making unexpected network requests. If your task does not need external API access, the default restrictions block it.

Permission system

Claude Code has five permission modes ranging from fully manual approval to fully autonomous. The default requires approval before file edits and commands. Even in Auto mode (Team/Enterprise only), background safety checks still run.

curl and wget are blocked by default. Suspicious commands get flagged even if they match the allowlist. The system defaults to requiring approval for anything it does not recognize.

Prompt injection defenses

Claude Code implements multiple layers of prompt injection defense: context-aware analysis of potentially harmful instructions, input sanitization, command blocklists, isolated context windows for web fetches, and command injection detection on bash. Fail-closed matching means unmatched commands default to requiring approval.

This is more defensive than most coding agents. Amp, for comparison, explicitly says it does not protect against prompt injection via Bash.

What to watch out for

The security model is strong, but not perfect.

MCP server trust

Claude Code connects to MCP servers for its plugin ecosystem. Anthropic does not manage or audit third-party MCP servers. If you install a community MCP server that has been compromised or is malicious, Claude Code will trust it and act on its instructions.

Vet your MCP servers. Stick to official plugins from Anthropic's marketplace when possible. Review what permissions each connector requests.

Auto-fix on pull requests

Claude Code can watch your pull requests and automatically push fixes for CI failures and review comments. Useful. Also potentially dangerous.

If your repository uses comment-triggered CI (Atlantis for Terraform, for example), Claude Code's automated PR comments could trigger infrastructure changes. An auto-fix that modifies a Terraform file and comments "fixed" could trigger a production deployment through Atlantis.

Understand your CI pipeline's triggers before enabling auto-fix.

Session sharing

Sessions from Pro and Max accounts are shareable, but shared sessions are public by default with no repository access verification. If someone shares a Claude Code session that contains proprietary code or debugging output with sensitive data, anyone with the link can view it.

Scheduled task catch-up

Desktop scheduled tasks have a catch-up behavior: if your machine was asleep during a scheduled run, Claude fires one catch-up when you wake up. A task written for 9 AM might run at 11 PM. If your task has time-sensitive logic (posting to social media at a specific hour, for example), use cloud scheduled tasks instead, which run on Anthropic's always-on infrastructure.

Computer use runs on your desktop

Dispatch can use computer use (screen interaction), but it runs on your actual desktop, not a sandboxed VM. This is a broader trust boundary than cloud sessions. Be aware of what is visible on screen when computer use is active.

How Claude Code compares on security

| Feature | Claude Code | Amp | Cursor | Manus | | ------------------------ | ---------------------- | --------------- | ---------- | ---------------- | | Sandboxed execution | Yes (cloud VMs) | No | No | Yes (platform) | | Credential proxy | Yes (scoped) | No | No | N/A | | Secret redaction | No | Yes (automatic) | No | No | | Network restrictions | Configurable (3 modes) | No | No | Platform-managed | | Permission system | 5 modes | Granular | Limited | N/A | | Prompt injection defense | Multi-layer | Explicitly none | Limited | Unknown | | SOC 2 Type II | Yes | Yes | Yes | Yes | | Code sent to providers | 1 (Anthropic) | 7+ | 1 (varies) | Unknown | | Scheduled automation | Yes (cloud) | No | No | No |

Claude Code wins on sandboxing, credential handling, and network restrictions. Amp wins on secret redaction. Cursor and Manus lag behind on most security features.

The single-provider advantage is worth highlighting. Your code goes to Anthropic. That is it. Amp sends code to seven different inference providers. Fewer providers means a smaller attack surface for your intellectual property.

The security implications of autonomous site building

When an AI agent can build, deploy, and maintain a website autonomously, the security stakes change.

The good: Claude Code's isolated VMs, credential proxy, and network restrictions mean the build environment itself is safer than running an AI coding agent locally. Scheduled tasks that auto-deploy through Vercel mean fewer humans touching the deployment pipeline, which reduces the chance of manual errors like committing secrets or misconfiguring production settings.

The concern: Autonomous agents make the same categories of mistakes that AI coding tools always make. Missing authorization checks. Inconsistent input validation. No security headers. The agent builds what you ask for. It does not think about what could go wrong.

The difference with Claude Code is that you can encode security requirements into CLAUDE.md and they persist across every session. "Every API endpoint must verify resource ownership before returning data." "All forms must validate input with Zod." "Include CSP, HSTS, X-Frame-Options, and Permissions-Policy headers." These rules become part of the agent's context for every task it runs.

That is not a substitute for a security review. But it is a meaningful layer that tools like Manus, Lovable, and Bolt do not offer.

What to do if you are building with Claude Code

1. Write security requirements into CLAUDE.md. Authorization checks, input validation, security headers, secrets management. Make them explicit. Claude follows them.

2. Use cloud sessions for anything sensitive. The isolated VM and credential proxy are real security advantages over local execution.

3. Vet your MCP servers. Stick to official plugins. Review permissions. Do not install community MCP servers without understanding what they do.

4. Understand auto-fix before enabling it. Map your CI triggers. If you use comment-triggered infrastructure tools, auto-fix could cause unintended deployments.

5. Do not skip security review just because the build environment is safer. The generated code still needs the same attention as any AI-generated application. Business logic, authorization, race conditions. The categories of vulnerability that all AI tools miss.

6. Set up security headers and CSP before deploying. Claude Code does not add these by default. Neither does Vercel. Add them yourself or put them in CLAUDE.md so Claude adds them for you.

Frequently Asked Questions

Can Claude Code build a complete website?

Yes. Claude Code is a full autonomous coding agent that can create web applications from a text description. It writes code in any language (React, Next.js, Python, Go, and more), runs a dev server, verifies the result visually, pushes to GitHub, and deploys through Vercel or other platforms via official plugins. It can also maintain the site with scheduled tasks that auto-fetch content and deploy updates daily.

Is Cowork just for knowledge work?

No. This is a common misconception. The Cowork tab in Claude's desktop app runs an autonomous background agent in a cloud VM. Its Dispatch feature routes coding tasks to full Claude Code sessions. It can fix bugs, update dependencies, run tests, open pull requests, and deploy applications. Anthropic positioned it as bringing "Claude Code's agentic capabilities to the desktop app" for both technical and non-technical work.

Is Claude Code secure for building production sites?

Claude Code has the strongest build environment security of the AI coding tools we have tested. Cloud sessions run in isolated VMs with scoped credential proxies (your GitHub token is never inside the sandbox), configurable network restrictions, and multi-layer prompt injection defenses. SOC 2 Type II certified. However, the code it generates still has the same vulnerability patterns as all AI-generated code: missing authorization, inconsistent validation, no security headers by default. The build environment is secure. The output still needs review.

How does Claude Code handle my secrets and credentials?

In cloud sessions, git credentials are never inside the sandbox. A dedicated proxy handles GitHub authentication using scoped credentials. API keys and environment variables are stored in encrypted cloud environment settings, not in code. Claude Code does not have built-in automatic secret redaction (Amp does), so you should still use .env files, keep secrets out of your codebase, and add secret-related rules to CLAUDE.md.

What is CLAUDE.md and why does it matter for security?

CLAUDE.md is a configuration file at the root of your project that Claude reads at the start of every session. It acts as persistent memory for project rules, conventions, and requirements. You can encode security rules (authorization checks on every endpoint, input validation requirements, security header configuration) that Claude follows across all sessions and scheduled tasks. Few AI coding tools have an equivalent persistent instruction system at this level of integration.

Claude Code is the most capable autonomous site builder available. If you are using it to build something real and want a security review before launch, get in touch.