{"slug": "stop-claude-code-session-urls-from-landing-in-your-public-git-history", "title": "Stop Claude Code Session URLs From Landing in Your Public Git History", "summary": "Anthropic's Claude Code tool has been automatically appending session URLs to commits and pull request descriptions since version 2.1.179, exposing internal links in public git history. The company released setting `attribution.sessionUrl: false` in version 2.1.183 to disable this behavior, addressing developer concerns about unintended disclosure of metadata and commit clutter.", "body_md": "# Stop Claude Code Session URLs From Landing in Your Public Git History\n\nYou open a teammate’s pull request and there it is, stapled to the bottom of the description:\n\n```\n🔗 https://claude.ai/code/session_01SBzqph11q7ZSHA5QEGgtu5\n```\n\nNobody typed that. Nobody chose to publish it. But it’s in the PR body now, and on the commits underneath it, sitting in your repo’s history where every contributor — and on a public repo, the whole internet — can read it.\n\nIf you’ve been running Claude Code from the web or over Remote Control, that line comes from a default you never opted into. As of **v2.1.183 (June 2026)** there’s finally a single setting to turn it off. Here’s that setting, what the link actually exposes (less than the panic suggests), and how to decide your team’s policy.\n\n## The fix\n\nAdd this to your settings:\n\n```\n{\n  \"attribution\": {\n    \"sessionUrl\": false\n  }\n}\n```\n\n`attribution.sessionUrl`\n\nis a boolean nested under `attribution`\n\n. It defaults to `true`\n\n. Set it to `false`\n\nand Claude Code stops appending the `claude.ai/code/session_…`\n\nlink to your commits and PRs. That’s the whole fix.\n\nOne caveat up front: this only affects **web sessions and Remote Control sessions**. Local CLI sessions never added the link, so the setting is a no-op there. The [v2.1.183 changelog](https://github.com/anthropics/claude-code/releases/tag/v2.1.183) puts it plainly — “Added `attribution.sessionUrl`\n\nsetting to omit the claude.ai session link from commits and PRs in web and Remote Control sessions.”\n\n## What’s actually being added\n\nSince around v2.1.179, commits Claude makes in a web session carry a `Claude-Session:`\n\ngit trailer pointing at the session URL, and PR bodies get the same URL on its own line. It looks like attribution — same neighborhood as the `🤖 Generated with Claude Code`\n\nline and the `Co-Authored-By`\n\ntrailer — but until v2.1.183 it had no off switch of its own.\n\nThat last part is why people were annoyed. Developers who’d already set `attribution.commit: \"\"`\n\nfor clean commits found the session URL *still* showed up ([issue #41873](https://github.com/anthropics/claude-code/issues/41873)). The attribution-text setting didn’t touch it. That issue was closed “not planned,” and a separate request to make the link opt-in ([#66504](https://github.com/anthropics/claude-code/issues/66504)) is where the v2.1.183 setting eventually came from. So if you tried to kill this a while back and failed: you weren’t crazy — the knob didn’t exist yet.\n\n## Is this a leak?\n\nShort answer: no, not in the “you dumped a credential” sense. Be honest with yourself about the actual cost before you treat it like an incident.\n\nWhat the link is: a deep link to your Claude Code session. **It’s generally only resolvable by the account that owns the session.** A stranger who finds `https://claude.ai/code/session_01SB…`\n\nin your git log can’t open your transcript. It is not a public API key, not a token, not your prompt history exposed to the world.\n\nSo what *is* the cost? Three real ones, none of them a CVE:\n\n**History clutter.** On a public or OSS repo, every agent-authored commit now carries an internal SaaS URL that means nothing to outside contributors. It’s noise in`git log`\n\n, forever.**Minor information disclosure.** The line signals*which*commits were agent-authored and exposes an internal link surface — the URL pattern, the fact that you’re driving from web or Remote Control. That’s metadata, not secrets, but on a public repo it’s metadata you’re publishing by default.**A policy gap.** It shipped on-by-default with no opt-in prompt. For a team or an org, “a tool changed our commit format and nobody decided to” is the thing worth fixing — more than the URL itself.\n\nFrame it as cleanliness and governance, not breach response. If you sell your team a “we’re leaking secrets” story, the first person who clicks the link, hits an auth wall, and realizes it’s account-scoped will quietly discount your next security call. Get this one right. (This is the same config-hygiene muscle as [locking down permissions](/blog/claude-code-safe-mode/) or [picking an auto-review posture](/blog/cursor-auto-review-vs-yolo/) — boring settings that decide what your team ships by default.)\n\n## Where to set it\n\nSame precedence as every other Claude Code setting — most specific wins:\n\n**User**—`~/.claude/settings.json`\n\n. Affects only you, across every repo. Good for personal preference.**Project**—`.claude/settings.json`\n\n, committed to the repo.**This is how a team standardizes:** one commit, and everyone who runs Claude Code in that repo inherits`sessionUrl: false`\n\n.**Enterprise managed settings**— org-enforced, overrides the others. Use this when “off” isn’t a suggestion — public repos under a company org, say.\n\nFor a shared repo, set it at the project level. Relying on every contributor to fix their own `~/.claude`\n\nis how you end up with half your commits clean and half not.\n\n## It’s not the only attribution knob\n\nWhile you’re in there, know the rest of the surface so you configure the whole thing, not just the URL:\n\n`attribution.sessionUrl`\n\n— the`claude.ai/code/session_…`\n\nlink (this post).`includeCoAuthoredBy`\n\n— the`Co-Authored-By: Claude <noreply@anthropic.com>`\n\ntrailer. Boolean, default`true`\n\n; set`false`\n\nto drop it.`attribution.commit`\n\n/`attribution.pr`\n\n— the human-readable “Generated with Claude Code” text on commits and PRs. Set to`\"\"`\n\nto remove.\n\nThese are independent. Turning off the session URL leaves the co-author trailer in place, and vice versa. Decide all three in one sitting, or you’ll be back here next month for the one you missed.\n\n## A team policy in three tiers\n\n**Solo / private repo:** leave`sessionUrl`\n\non. The link is a genuinely useful audit trail — click a commit, land back in the session that produced it. Nobody outside sees it. Keep the signal.**Shared team repo:** set`sessionUrl: false`\n\nat the project level, and settle your`Co-Authored-By`\n\npolicy in the same PR. Standardize once so the history stays consistent.**Public / OSS repo:**`sessionUrl: false`\n\n, enforced via managed settings if you have an org that can. External contributors don’t need your internal links in the canonical history.\n\n## Bottom line\n\nThe session link is an audit feature wearing a privacy scare’s clothing. **On a repo where you’re the only reader, it’s useful; on a repo strangers read, it’s clutter you didn’t choose — and now it’s one boolean to remove.** Default-on with no prompt was the real miss; `attribution.sessionUrl: false`\n\nis the fix. Set it at the level that matches who can see your history.\n\nIn your repos — is the session link useful audit signal, or noise you turned off the day you found it?", "url": "https://wpnews.pro/news/stop-claude-code-session-urls-from-landing-in-your-public-git-history", "canonical_source": "https://outofcontext.dev/blog/claude-code-session-url-attribution/", "published_at": "2026-06-30 00:00:00+00:00", "updated_at": "2026-06-30 23:26:41.963147+00:00", "lang": "en", "topics": ["ai-tools", "developer-tools", "ai-safety"], "entities": ["Anthropic", "Claude Code", "GitHub"], "alternates": {"html": "https://wpnews.pro/news/stop-claude-code-session-urls-from-landing-in-your-public-git-history", "markdown": "https://wpnews.pro/news/stop-claude-code-session-urls-from-landing-in-your-public-git-history.md", "text": "https://wpnews.pro/news/stop-claude-code-session-urls-from-landing-in-your-public-git-history.txt", "jsonld": "https://wpnews.pro/news/stop-claude-code-session-urls-from-landing-in-your-public-git-history.jsonld"}}