Spaces:
Runtime error
Runtime error
| # OpenClaw Gateway Security and Hardening Best Practices | |
| This document consolidates security and hardening best practices for the OpenClaw Gateway, drawing from official documentation and recent security advisories. | |
| ## 1. Core Security Model & Deployment Considerations | |
| OpenClaw is designed primarily for a **personal assistant deployment model**, assuming one trusted operator per gateway. It is **not intended for multi-tenant environments** with untrusted or adversarial users. For such scenarios, run separate gateway instances for each trust boundary. | |
| ## 2. Hardened Baseline Configuration | |
| For a secure starting point, consider the following configuration, which keeps the Gateway local, isolates DMs, and disables potentially dangerous tools by default: | |
| ```json | |
| { | |
| "gateway": { | |
| "mode": "local", | |
| "bind": "loopback", | |
| "auth": { | |
| "mode": "token", | |
| "token": "replace-with-long-random-token" | |
| } | |
| }, | |
| "session": { | |
| "dmScope": "per-channel-peer" | |
| }, | |
| "tools": { | |
| "profile": "messaging", | |
| "deny": ["group:automation", "group:runtime", "group:fs", "sessions_spawn", "sessions_send"], | |
| "fs": { | |
| "workspaceOnly": true | |
| }, | |
| "exec": { | |
| "security": "deny", | |
| "ask": "always" | |
| } | |
| }, | |
| "elevated": { | |
| "enabled": false | |
| }, | |
| "channels": { | |
| "whatsapp": { | |
| "dmPolicy": "pairing", | |
| "groups": { | |
| "*": { | |
| "requireMention": true | |
| } | |
| } | |
| } | |
| } | |
| } | |
| ``` | |
| ## 3. Key Hardening Recommendations | |
| ### 3.1. Network Security | |
| * **Do Not Expose Publicly:** Never expose the OpenClaw gateway directly to the public internet. It typically runs on port 18789. Publicly exposed gateways are easily discoverable. | |
| * **Bind to Localhost:** Configure the gateway to listen only for connections from the local machine by binding it to `127.0.0.1` (localhost) or `loopback` in your `openclaw.json`. | |
| * **Firewall Rules:** Implement strict firewall rules to block all unnecessary inbound and outbound connections, allowing only essential traffic. | |
| * **Secure Remote Access:** For remote access, use secure methods like SSH tunneling or a VPN (e.g., Tailscale) instead of direct exposure. | |
| * **Docker Considerations:** If using Docker, be aware that it can bypass UFW rules. Configure rules in the `DOCKER-USER` chain to control exposure. | |
| ### 3.2. Authentication and Access Control | |
| * **Enable Gateway Authentication:** Always enable gateway authentication and use a strong, randomly generated authentication token. Generate a token with `openclaw doctor --generate-gateway-token`. | |
| * **Manage Access Tokens:** Treat your gateway authentication token like a password. Rotate it regularly and store it securely (e.g., as an environment variable, not in plaintext config files). | |
| * **Restrict Chat and Messaging:** If integrating with chat platforms, use allowlists to specify which user IDs can interact with your agent. | |
| * **Direct Messages (DMs) and Groups:** | |
| * For DMs, use the default `pairing` policy (`dmPolicy: "pairing"`) to require approval for unknown senders. | |
| * For group chats, require the bot to be explicitly mentioned to respond (`requireMention: true`). | |
| * Isolate DM sessions using `session.dmScope: "per-channel-peer"` to prevent context leakage. | |
| ### 3.3. Isolation and Sandboxing | |
| * **Run in a Docker Container:** The recommended approach is to run OpenClaw within a Docker container for process isolation, filesystem restrictions, and network controls. | |
| * **Harden Docker Configuration:** | |
| * Do not mount your home directory or the Docker socket. | |
| * Use read-only filesystems where possible. | |
| * Drop unnecessary Linux capabilities. | |
| * Run the container as a non-root user. | |
| * **Enable Sandbox Mode:** For tasks that execute code, enable OpenClaw's sandbox mode to prevent malicious or compromised prompts from accessing your system or network. Configure this in `agents.defaults.sandbox`. | |
| ### 3.4. Credential and Secret Management | |
| * **Avoid Plaintext Storage:** Never store API keys, tokens, or other sensitive information in plaintext configuration files. | |
| * **Use Secure Storage Mechanisms:** Load credentials from environment variables or use dedicated secrets management solutions (e.g., Hashicorp Vault, AWS Secrets Manager). | |
| ### 3.5. File System Permissions | |
| * Ensure your configuration and state files are private. | |
| * `~/.openclaw/openclaw.json` should have permissions `600` (user read/write only). | |
| * The `~/.openclaw` directory should have permissions `700` (user access only). | |
| * `~/.openclaw/credentials/` and its contents should also be `600`. | |
| ### 3.6. Tool and Skill Security | |
| * **Principle of Least Privilege:** Only grant the agent the permissions and tools it absolutely needs. | |
| * **Audit Third-Party Skills:** Be extremely cautious with third-party skills, as they can contain malicious code. Research has shown a significant number of skills on marketplaces may be malicious. | |
| ### 3.7. Prompt Injection Mitigation | |
| * Lock down who can message the bot using DM pairing and allowlists. | |
| * Require mentions in group chats. | |
| * Run agents that process untrusted content in a sandbox with a minimal toolset. | |
| * Use the latest, most powerful models, as they are generally more resistant to prompt injection. | |
| ### 3.8. Monitoring and Incident Response | |
| * **Enable Logging:** Turn on comprehensive logging for all agent activities (command executions, API calls, file access). Store logs in a secure, separate location where the agent cannot modify them. | |
| * **Log Redaction:** Keep log redaction enabled (`logging.redactSensitive: "tools"`) to prevent sensitive information from leaking into logs. | |
| * **Incident Response Plan:** Have a plan for suspected compromises, including stopping the gateway and revoking API keys. | |
| ## 4. Staying Updated and Aware of Vulnerabilities | |
| The OpenClaw project is under active development, and new vulnerabilities are discovered. | |
| * **Keep Software Updated:** Regularly update OpenClaw and its dependencies to ensure you have the latest security patches. | |
| * **Be Aware of Recent Threats:** Stay informed about new vulnerabilities. Notable past vulnerabilities include: | |
| * **ClawJacked (High Severity):** Allowed malicious websites to hijack locally running OpenClaw instances via WebSocket connections and brute-force password. Patched in v2026.2.25. | |
| * **Remote Code Execution (Critical - CVE-2026-25253):** A malicious link could trick the Control UI into sending an auth token to an attacker-controlled server, leading to RCE. Patched in v2026.1.29. | |
| * **Authentication Bypass (High Severity - CVE-2026-26327):** Allowed attackers on the same local network to intercept credentials by spoofing a legitimate gateway. | |
| * **Other Vulnerabilities:** Server-Side Request Forgery (SSRF - CVE-2026-26322), missing webhook authentication (CVE-2026-26319), and path traversal (CVE-2026-26329). | |
| By diligently applying these practices, you can significantly enhance the security posture of your OpenClaw Gateway deployment. | |