[BUG]
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Errors in SECURITY.md
_Security Policy
Thank you for helping us keep Claude Code secure!
Reporting Security Issues
The security of our systems and user data is Anthropic's top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities.
Our security program is managed on HackerOne and we ask that any validated vulnerability in this functionality be reported through their submission form._
Security Issue: Pre-consent cookie and weakened CSP on claude.ai
Captured: Sat, 30 May 2026
Browser: Any
Method: curl -sI https://claude.ai
---
Issue 1: Cookie set before consent ⚠
The following cookie is set on page load, prior to any consent interaction:
__cf_bm={...}-[...]
Domain: claude.ai
Path: /
Expires: Sat, 30 May 2026 [value redacted]
Flags: HttpOnly; Secure; SameSite=None
__cf_bm is a Cloudflare Bot Management cookie. While Cloudflare may characterise this as
strictly necessary for security purposes, the ePrivacy Directive requires that even security
cookies meet the strict necessity threshold — i.e. the service cannot function without them.
Bot management is an operational choice, not a technical necessity, and no consent mechanism
or disclosure is presented to the user prior to this cookie being set.
Under GDPR Article 25 (Data Protection by Design and by Default), privacy-protective defaults
are required. Setting a third-party cookie silently on first contact does not meet this standard.
---
Issue 2: CSP weakened with unsafe-eval ⚠
The script-src directive includes 'unsafe-eval', which instructs the user's browser to
relax its script execution rules. This directive is sent to the end user's browser without
their knowledge or consent, reducing their security posture to serve Anthropic's technical
requirements.
This is inconsistent with GDPR Article 25, which requires data protection by default —
not the silent imposition of a weaker security configuration on the user's browser.
Affected CSP directive:
script-src 'nonce-[value redacted]' 'unsafe-eval'
https://challenges.cloudflare.com/
---
Full response headers (sanitised)
CONTENT SECURITY POLICY
default-src 'none'
script-src 'nonce-[value redacted]' 'unsafe-eval' ⚠
https://challenges.cloudflare.com/
script-src-attr 'none'
style-src 'unsafe-inline'
img-src 'self'
https://challenges.cloudflare.com/
connect-src 'self'
https://challenges.cloudflare.com/
frame-src 'self'
https://challenges.cloudflare.com/ blob:
child-src 'self'
https://challenges.cloudflare.com/ blob:
worker-src blob:
form-action http: https:
base-uri 'self'
CROSS-ORIGIN POLICY
cross-origin-embedder-policy require-corp
cross-origin-opener-policy same-origin
cross-origin-resource-policy same-origin
SECURITY HEADERS
x-frame-options SAMEORIGIN
referrer-policy same-origin
permissions-policy accelerometer=(), browsing-topics=(),
camera=(), clipboard-read=(),
clipboard-write=(), geolocation=(),
gyroscope=(), hid=(),
interest-cohort=(), magnetometer=(),
microphone=(), payment=(),
publickey-credentials-get=(),
screen-wake-lock=(), serial=(),
sync-xhr=(), usb=(),
xr-spatial-tracking=(self)
COOKIE
__cf_bm [value redacted]
Domain claude.ai
Path /
Expires Sat, 30 May 2026 [value redacted]
Flags HttpOnly; Secure; SameSite=None ⚠
---
Summary
| Issue | Detail |
|---|---|
| Pre-consent cookie | __cf_bm set before any user interaction or consent |
| Cookie purpose | Cloudflare Bot Management (third party) |
| unsafe-eval in CSP | Silently weakens end-user browser security posture |
| Legal basis | GDPR Article 25 — Data Protection by Design and by Default |
Relevant legislation
- ePrivacy Directive 2002/58/EC — requires consent for non-essential cookies
- GDPR Article 25 — requires privacy-protective defaults; silent weakening of
browser security posture by server instruction does not meet this standard
- Jurisdiction: EU PD,
with likely referral to Irish DPC for Anthropic's EU entity
---
*This report is filed in good faith as a technical security issue.
A copy has been retained for potential referral to national PD should
no response be received within 30 days.*
What Should Happen?
Not this
Error Messages/Logs
Steps to Reproduce
curl -sI https://claude.ai | grep -E "set-cookie|content-security-policy|strict-transport|x-frame|referrer|permissions-policy|cross-origin"
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
irrelevant
Platform
Anthropic API
Operating System
Other
Terminal/Shell
Other
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗