docs: document security hardening changes from security review

Add documentation for all user/operator-facing changes introduced by the security review branch: rate limits, security headers, webhook HMAC verification, payload size limits, gateway token redaction, non-root containers, agent token logging, and prompt injection mitigation. Updated: docs/reference/api.md, docs/reference/authentication.md, docs/reference/configuration.md, docs/deployment/README.md, docs/operations/README.md, docs/openclaw_gateway_ws.md, backend/README.md. Created: docs/reference/security.md (consolidated security reference). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 14:51:52 -07:00
parent 916dace3c8
commit 149fde90c4
8 changed files with 193 additions and 4 deletions
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -17,3 +17,28 @@ See `.env.example` for defaults and required values.
 - **Where set:** `.env` (backend)
 - **When required:** `AUTH_MODE=local`
 - **Policy:** Must be non-placeholder and at least 50 characters.
+
+## Security response headers
+
+These environment variables control security headers added to every API response. Set any variable to blank (`""`) to disable the corresponding header.
+
+### `SECURITY_HEADER_X_CONTENT_TYPE_OPTIONS`
+
+- **Default:** `nosniff`
+- **Purpose:** Prevents browsers from MIME-type sniffing responses.
+
+### `SECURITY_HEADER_X_FRAME_OPTIONS`
+
+- **Default:** `DENY`
+- **Purpose:** Prevents the API from being embedded in iframes.
+- **Note:** If your deployment embeds the API in an iframe, set this to `SAMEORIGIN` or blank.
+
+### `SECURITY_HEADER_REFERRER_POLICY`
+
+- **Default:** `strict-origin-when-cross-origin`
+- **Purpose:** Controls how much referrer information is sent with requests.
+
+### `SECURITY_HEADER_PERMISSIONS_POLICY`
+
+- **Default:** _(blank — disabled)_
+- **Purpose:** Restricts browser features (camera, microphone, etc.) when set.