diff --git a/cms/envs/common.py b/cms/envs/common.py
index 1207b8fe05..260aa30cd2 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -368,3 +368,5 @@ MKTG_URL_LINK_MAP = {
     'HONOR': 'honor',
     'PRIVACY': 'privacy_edx',
 }
+
+COURSES_WITH_UNSAFE_CODE = []
diff --git a/common/djangoapps/util/sandboxing.py b/common/djangoapps/util/sandboxing.py
index 7d1c1da06f..2024f8fa27 100644
--- a/common/djangoapps/util/sandboxing.py
+++ b/common/djangoapps/util/sandboxing.py
@@ -14,7 +14,9 @@ def can_execute_unsafe_code(course_id):
     """
     # To decide if we can run unsafe code, we check the course id against
     # a list of regexes configured on the server.
-    for regex in settings.COURSES_WITH_UNSAFE_CODE:
+    # If this is not defined in the environment variables then default to the most restrictive, which
+    # is 'no unsafe courses'
+    for regex in getattr(settings, 'COURSES_WITH_UNSAFE_CODE', []):
         if re.match(regex, course_id):
             return True
     return False
diff --git a/common/djangoapps/util/tests/test_sandboxing.py b/common/djangoapps/util/tests/test_sandboxing.py
index 4bccac707f..c76132696a 100644
--- a/common/djangoapps/util/tests/test_sandboxing.py
+++ b/common/djangoapps/util/tests/test_sandboxing.py
@@ -25,3 +25,10 @@ class SandboxingTest(TestCase):
         """
         self.assertTrue(can_execute_unsafe_code('edX/full/2012_Fall'))
         self.assertTrue(can_execute_unsafe_code('edX/full/2013_Spring'))
+
+    def test_courses_with_unsafe_code_default(self):
+        """
+        Test that the default setting for COURSES_WITH_UNSAFE_CODE is an empty setting, e.g. we don't use @override_settings in these tests
+        """
+        self.assertFalse(can_execute_unsafe_code('edX/full/2012_Fall'))
+        self.assertFalse(can_execute_unsafe_code('edX/full/2013_Spring'))