Skip to Content
Legacy ConfigurationSecurity

Security Configuration

Protect your OpenClaw deployment with proper security settings.

Hosted Networking Split

For hosted OpenClaw VPS, security now follows a fixed network split:

  • Public web chat uses Cloudflare
  • Private web chat uses the customer’s own Tailscale tailnet
  • Telegram stays public-only
  • OpenClaw operator access uses OpenClaw’s separate internal tailnet and is not shared with customer bots

That means customer bot traffic never reuses the OpenClaw ops tailnet.

Authentication

Web API Key

Protect web access with an API key:

WEB_API_KEY=your-secret-key-here

Generate a secure key:

openssl rand -base64 32

Cloudflare Access

For Cloudflare deployments, use Cloudflare Access for zero-trust authentication.

Cloudflare Access Setup

Rate Limiting

Prevent abuse with rate limiting:

RATE_LIMIT_ENABLED=true
RATE_LIMIT_REQUESTS=100
RATE_LIMIT_WINDOW=60000  # 1 minute

Per-User Limits

RATE_LIMIT_PER_USER=50
RATE_LIMIT_PER_IP=200

Network Security

HTTPS

Always use HTTPS in production:

FORCE_HTTPS=true

CORS

Configure allowed origins:

CORS_ORIGINS=https://your-domain.com,https://app.your-domain.com

Trusted Proxies

If behind a reverse proxy:

TRUSTED_PROXIES=true
TRUSTED_PROXY_IPS=10.0.0.0/8,172.16.0.0/12

API Key Security

Never commit API keys to version control. Use environment variables or secret management.

Best Practices

  1. Use separate keys for development and production
  2. Rotate keys periodically
  3. Set up key expiration alerts
  4. Monitor usage for anomalies

Key Rotation

To rotate your provider API key:

  1. Generate a new key in your provider console
  2. Update your environment variable
  3. Restart OpenClaw
  4. Revoke the old key

Logging

Security Logging

Enable detailed security logs:

LOG_SECURITY_EVENTS=true
LOG_LEVEL=info

Logged events:

  • Authentication attempts
  • Rate limit violations
  • Unusual access patterns
  • Error conditions

Audit Trail

For compliance, enable audit logging:

ENABLE_AUDIT_LOG=true
AUDIT_LOG_PATH=/var/log/openclaw/audit.log

Firewall Rules

VPS Deployment

Recommended iptables rules:

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# Allow HTTPS
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
# Block everything else
iptables -A INPUT -j DROP

Cloudflare Tunnel

No firewall rules needed - all traffic goes through Cloudflare.

Tailscale For Hosted Bots

If you enable private networking on a hosted bot:

  • the bot joins the customer-owned tailnet
  • the bot receives a one-off join key minted from the customer OAuth client
  • the bot runtime does not store the customer OAuth secret
  • private web chat stays on the tailnet instead of being published on the public internet

Security Checklist

  • API keys stored securely (not in code)
  • HTTPS enabled
  • Rate limiting configured
  • Authentication enabled for web UI
  • Logs monitored
  • Regular key rotation scheduled
  • Firewall rules in place (VPS)
File Storage