yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
528a2483b72d84016e2f40e8e1f83ec49b543f82
openclaw-mission-control/docs/openclaw_gateway_ws.md
Hugh Brown 149fde90c4 docs: document security hardening changes from security review 
Add documentation for all user/operator-facing changes introduced by the
security review branch: rate limits, security headers, webhook HMAC
verification, payload size limits, gateway token redaction, non-root
containers, agent token logging, and prompt injection mitigation.

Updated: docs/reference/api.md, docs/reference/authentication.md,
docs/reference/configuration.md, docs/deployment/README.md,
docs/operations/README.md, docs/openclaw_gateway_ws.md, backend/README.md.
Created: docs/reference/security.md (consolidated security reference).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 23:35:10 +05:30

31 lines
1.6 KiB
Markdown
Raw Blame History

# Gateway WebSocket protocol
## Connection Types
OpenClaw Mission Control supports both secure (`wss://`) and non-secure (`ws://`) WebSocket connections to gateways.
### Secure Connections (wss://)
For production environments, always use `wss://` (WebSocket Secure) connections with valid TLS certificates.
### Self-Signed Certificates
You can enable support for self-signed TLS certificates with a toggle:
1. Navigate to the gateway configuration page (Settings → Gateways)
2. When creating or editing a gateway, enable: **"Allow self-signed TLS certificates"**
3. This applies to any `wss://` gateway URL for that gateway configuration.
When enabled, Mission Control skips TLS certificate verification for that gateway connection.
**Security Warning**: Enabling this weakens transport security and should only be used when you explicitly trust the endpoint and network path. Prefer valid CA-signed certificates for production gateways.
## Configuration Options
When configuring a gateway, you can specify:
- **Gateway URL**: The WebSocket endpoint (e.g., `wss://localhost:18789` or `ws://gateway:18789`)
- **Gateway Token**: Optional authentication token. For security, tokens are **never returned in API responses**. The API indicates only whether a token is configured (`has_token: true/false`). Store tokens securely at creation time; they cannot be retrieved later.
- **Workspace Root**: The root directory for gateway files (e.g., `~/.openclaw`)
- **Allow self-signed TLS certificates**: Toggle TLS certificate verification off for this gateway's `wss://` connections (default: disabled)
Reference in New Issue View Git Blame Copy Permalink