docs: document security hardening changes from security review
Add documentation for all user/operator-facing changes introduced by the security review branch: rate limits, security headers, webhook HMAC verification, payload size limits, gateway token redaction, non-root containers, agent token logging, and prompt injection mitigation. Updated: docs/reference/api.md, docs/reference/authentication.md, docs/reference/configuration.md, docs/deployment/README.md, docs/operations/README.md, docs/openclaw_gateway_ws.md, backend/README.md. Created: docs/reference/security.md (consolidated security reference). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
committed by
Abhimanyu Saharan
Abhimanyu Saharan
parent
916dace3c8
commit
149fde90c4
@@ -65,6 +65,15 @@ A starter file exists at `backend/.env.example`.
|
||||
- If `true`: on startup, the backend attempts to run Alembic migrations (`alembic upgrade head`).
|
||||
- If there are **no** Alembic revision files yet, it falls back to `SQLModel.metadata.create_all`.
|
||||
|
||||
### Security headers
|
||||
|
||||
Security response headers added to every API response. Set any variable to blank to disable the corresponding header.
|
||||
|
||||
- `SECURITY_HEADER_X_CONTENT_TYPE_OPTIONS` (default: `nosniff`)
|
||||
- `SECURITY_HEADER_X_FRAME_OPTIONS` (default: `DENY`)
|
||||
- `SECURITY_HEADER_REFERRER_POLICY` (default: `strict-origin-when-cross-origin`)
|
||||
- `SECURITY_HEADER_PERMISSIONS_POLICY` (default: blank — disabled)
|
||||
|
||||
### Auth (Clerk)
|
||||
|
||||
Clerk is used for user authentication (optional for local/self-host in many setups).
|
||||
|
||||
Reference in New Issue
Block a user