docs: document security hardening changes from security review

Add documentation for all user/operator-facing changes introduced by the security review branch: rate limits, security headers, webhook HMAC verification, payload size limits, gateway token redaction, non-root containers, agent token logging, and prompt injection mitigation. Updated: docs/reference/api.md, docs/reference/authentication.md, docs/reference/configuration.md, docs/deployment/README.md, docs/operations/README.md, docs/openclaw_gateway_ws.md, backend/README.md. Created: docs/reference/security.md (consolidated security reference). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 14:51:52 -07:00
parent 916dace3c8
commit 149fde90c4
8 changed files with 193 additions and 4 deletions
--- a/docs/deployment/README.md
+++ b/docs/deployment/README.md
@@ -34,6 +34,10 @@ Key variables (from `.env.example` / `compose.yml`):
 - Backend:
  - `DB_AUTO_MIGRATE` (default `true` in compose)
  - `CORS_ORIGINS` (default `http://localhost:3000`)
+- Security headers (see [configuration reference](../reference/configuration.md)):
+  - `SECURITY_HEADER_X_CONTENT_TYPE_OPTIONS` (default `nosniff`)
+  - `SECURITY_HEADER_X_FRAME_OPTIONS` (default `DENY`)
+  - `SECURITY_HEADER_REFERRER_POLICY` (default `strict-origin-when-cross-origin`)

 ### 2) Start the stack

@@ -90,6 +94,16 @@ cd backend
 uv run alembic upgrade head
 ```

+## Container security
+
+Both the backend and frontend Docker containers run as a **non-root user** (`appuser`). This is a security hardening measure.
+
+If you bind-mount host directories into the containers, ensure the mounted paths are readable (and writable, if needed) by the container's non-root user. You can check the UID/GID with:
+
+```bash
+docker compose exec backend id
+```
+
 ## Reverse proxy / TLS

 Typical setup (outline):