Codex Security: Sandbox, Approvals, and Enterprise Controls
Added Feb 1Updated Feb 28
Article: Positive
Codex controls risk with a sandbox plus approval policy, defaulting to no network and workspace-scoped writes. Users can choose safer or more autonomous modes, selectively enable network/web search, and test sandbox behavior, while enterprises can enforce non-overridable requirements and managed defaults. Optional OpenTelemetry provides auditable visibility with privacy-by-default redaction.
Key Points
- Codex’s security relies on two layers—sandbox mode (technical limits) and approval policy (when to ask)—with network access off and workspace-limited writes by default.
- Different environments use different enforcement: cloud containers isolate runs; macOS uses Seatbelt, Linux uses Landlock+seccomp, and Windows prefers WSL with an experimental native sandbox.
- Network and web search are conservative by default (cached results, no live fetch); live browsing and full access require explicit opt-in and carry prompt injection risk.
- Practical presets and configs let users balance autonomy and safety; dangerous full-access modes are available but discouraged outside controlled containers.
- Enterprises can enforce requirements (non-overridable) and set managed defaults (reapplied at launch), distribute via MDM, control MCP servers, and enable opt-in OpenTelemetry with privacy safeguards.