[BUG] Potential user privacy leak by `GET https://claude.ai/api/web/domain_info?domain=` requests
Resolved 💬 3 comments Opened Aug 20, 2025 by iwinux Closed Aug 20, 2025
Environment
- Platform (select one):
- [ ] Anthropic API
- [x] AWS Bedrock
- [x] Google Vertex AI
- [ ] Other: <!-- specify -->
- Claude CLI version: 1.0.81 (Claude Code)
- Operating System: macOS 15.3.2
- Terminal: Ghostty
Bug Description
Claude Code is able to fetch web pages with the WebFetch tool, after the user grants the permission.
However, when inspecting the network traffic, we found out that each WebFetch tool use is preceded by a silent API request to https://claude.ai/api/web/domain_info?domain=.
Since we're using Claude Code in work environment, such subtle information leak raises our concern:
- It sends out sensitive information without asking for consent first.
- There's no way to opt-out.
Steps to Reproduce
- set up mitmproxy
- launch Claude Code and redirect all traffic through mitmproxy
- ask it to read docs of https://docs.python.org/3/library/string.html or whatever URLs you have at hand
- notice the requests to
https://claude.ai/api/web/domain_info?domain=.
Expected Behavior
- Don't send requests to
https://claude.ai/api/web/domain_info?domain=. - Possible solution: add an option to disable the domain info check in
settings.json.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗