Security
Security best practices for OpenClaw.
Overview
Security considerations for running OpenClaw:
- Authentication
- Network security
- Data protection
- Sandboxing
Authentication
Always enable authentication:
json5
{
gateway: {
auth: {
enabled: true,
apiKey: "strong-random-key"
}
}
}Network Security
Local Only (Default)
By default, the gateway only accepts local connections:
json5
{
gateway: {
host: "127.0.0.1"
}
}With Remote Access
If exposing to the internet:
- Use a reverse proxy (nginx, Caddy)
- Enable HTTPS
- Use strong authentication
- Consider IP whitelisting
API Key Security
- Store API keys securely
- Don't commit to version control
- Use environment variables
bash
export ANTHROPIC_API_KEY="sk-ant-..."Sandboxing
Enable sandboxing for code execution:
json5
{
tools: {
"code-execution": {
sandbox: true,
timeout: 30000
}
}
}Data Protection
- Sensitive data encrypted at rest
- Sessions can be cleared automatically
- Memory can be selectively deleted
Security Checklist
- [ ] Authentication enabled
- [ ] API keys stored securely
- [ ] Gateway bound to localhost (or behind proxy)
- [ ] HTTPS enabled for remote access
- [ ] Sandboxing enabled for code execution
- [ ] Regular updates installed