yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
528a2483b72d84016e2f40e8e1f83ec49b543f82
openclaw-mission-control/docs/openclaw_gateway_ws.md
Hugh Brown 149fde90c4 docs: document security hardening changes from security review 
Add documentation for all user/operator-facing changes introduced by the
security review branch: rate limits, security headers, webhook HMAC
verification, payload size limits, gateway token redaction, non-root
containers, agent token logging, and prompt injection mitigation.

Updated: docs/reference/api.md, docs/reference/authentication.md,
docs/reference/configuration.md, docs/deployment/README.md,
docs/operations/README.md, docs/openclaw_gateway_ws.md, backend/README.md.
Created: docs/reference/security.md (consolidated security reference).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 23:35:10 +05:30

1.6 KiB
Raw Blame History

Gateway WebSocket protocol

Connection Types

OpenClaw Mission Control supports both secure (wss://) and non-secure (ws://) WebSocket connections to gateways.

Secure Connections (wss://)

For production environments, always use wss:// (WebSocket Secure) connections with valid TLS certificates.

Self-Signed Certificates

You can enable support for self-signed TLS certificates with a toggle:

  1. Navigate to the gateway configuration page (Settings → Gateways)
  2. When creating or editing a gateway, enable: "Allow self-signed TLS certificates"
  3. This applies to any wss:// gateway URL for that gateway configuration.

When enabled, Mission Control skips TLS certificate verification for that gateway connection.

Security Warning: Enabling this weakens transport security and should only be used when you explicitly trust the endpoint and network path. Prefer valid CA-signed certificates for production gateways.

Configuration Options

When configuring a gateway, you can specify:

  • Gateway URL: The WebSocket endpoint (e.g., wss://localhost:18789 or ws://gateway:18789)
  • Gateway Token: Optional authentication token. For security, tokens are never returned in API responses. The API indicates only whether a token is configured (has_token: true/false). Store tokens securely at creation time; they cannot be retrieved later.
  • Workspace Root: The root directory for gateway files (e.g., ~/.openclaw)
  • Allow self-signed TLS certificates: Toggle TLS certificate verification off for this gateway's wss:// connections (default: disabled)
Reference in New Issue View Git Blame Copy Permalink