149fde90c4
Add documentation for all user/operator-facing changes introduced by the security review branch: rate limits, security headers, webhook HMAC verification, payload size limits, gateway token redaction, non-root containers, agent token logging, and prompt injection mitigation. Updated: docs/reference/api.md, docs/reference/authentication.md, docs/reference/configuration.md, docs/deployment/README.md, docs/operations/README.md, docs/openclaw_gateway_ws.md, backend/README.md. Created: docs/reference/security.md (consolidated security reference). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1.4 KiB
1.4 KiB
Configuration reference
This page collects the most important config values.
Root .env (Compose)
See .env.example for defaults and required values.
NEXT_PUBLIC_API_URL
- Where set:
.env(frontend container environment) - Purpose: Public URL the browser uses to call the backend.
- Gotcha: Must be reachable from the browser (host), not a Docker network alias.
LOCAL_AUTH_TOKEN
- Where set:
.env(backend) - When required:
AUTH_MODE=local - Policy: Must be non-placeholder and at least 50 characters.
Security response headers
These environment variables control security headers added to every API response. Set any variable to blank ("") to disable the corresponding header.
SECURITY_HEADER_X_CONTENT_TYPE_OPTIONS
- Default:
nosniff - Purpose: Prevents browsers from MIME-type sniffing responses.
SECURITY_HEADER_X_FRAME_OPTIONS
- Default:
DENY - Purpose: Prevents the API from being embedded in iframes.
- Note: If your deployment embeds the API in an iframe, set this to
SAMEORIGINor blank.
SECURITY_HEADER_REFERRER_POLICY
- Default:
strict-origin-when-cross-origin - Purpose: Controls how much referrer information is sent with requests.
SECURITY_HEADER_PERMISSIONS_POLICY
- Default: (blank — disabled)
- Purpose: Restricts browser features (camera, microphone, etc.) when set.