yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: document security hardening changes from security review

Browse Source 
Add documentation for all user/operator-facing changes introduced by the
security review branch: rate limits, security headers, webhook HMAC
verification, payload size limits, gateway token redaction, non-root
containers, agent token logging, and prompt injection mitigation.

Updated: docs/reference/api.md, docs/reference/authentication.md,
docs/reference/configuration.md, docs/deployment/README.md,
docs/operations/README.md, docs/openclaw_gateway_ws.md, backend/README.md.
Created: docs/reference/security.md (consolidated security reference).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-03 14:51:52 -07:00
committed by Abhimanyu Saharan
parent 916dace3c8
commit 149fde90c4
8 changed files with 193 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/openclaw_gateway_ws.md
View File

@@ -25,6 +25,6 @@ When enabled, Mission Control skips TLS certificate verification for that gatewa
When configuring a gateway, you can specify:
- **Gateway URL**: The WebSocket endpoint (e.g., `wss://localhost:18789` or `ws://gateway:18789`)
- **Gateway Token**: Optional authentication token
- **Gateway Token**: Optional authentication token. For security, tokens are **never returned in API responses**. The API indicates only whether a token is configured (`has_token: true/false`). Store tokens securely at creation time; they cannot be retrieved later.
- **Workspace Root**: The root directory for gateway files (e.g., `~/.openclaw`)
- **Allow self-signed TLS certificates**: Toggle TLS certificate verification off for this gateway's `wss://` connections (default: disabled)