yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f7932d962a2ad0d8a15fef2f61f9e20d72ae1e37
openclaw-mission-control/docs/reference/configuration.md
Abhimanyu Saharan fb8a932923 fix(security): Close review follow-up gaps 
Rate-limit the optional agent bearer path after user auth resolution so mixed user/agent routes no longer leave an unthrottled PBKDF2 path. Stop logging token prefixes on agent auth failures and require a locally supplied token for backend/.env.test instead of committing one.

Update tests and docs to cover agent bearer fallback, configurable webhook signature headers, and the operator-facing security settings added by the hardening work.

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-07 23:40:50 +05:30

2.3 KiB
Raw Blame History

Configuration reference

This page collects the most important config values.

Root .env (Compose)

See .env.example for defaults and required values.

NEXT_PUBLIC_API_URL

  • Where set: .env (frontend container environment)
  • Purpose: Public URL the browser uses to call the backend.
  • Gotcha: Must be reachable from the browser (host), not a Docker network alias.

LOCAL_AUTH_TOKEN

  • Where set: .env (backend)
  • When required: AUTH_MODE=local
  • Policy: Must be non-placeholder and at least 50 characters.

WEBHOOK_MAX_PAYLOAD_BYTES

  • Default: 1048576 (1 MiB)
  • Purpose: Maximum accepted inbound webhook payload size before the API returns 413 Content Too Large.

RATE_LIMIT_BACKEND

  • Default: memory
  • Allowed values: memory, redis
  • Purpose: Selects whether rate limits are tracked per-process in memory or shared through Redis.

RATE_LIMIT_REDIS_URL

  • Default: (blank)
  • When required: RATE_LIMIT_BACKEND=redis and RQ_REDIS_URL is not set
  • Purpose: Redis connection string used for shared rate limits.
  • Fallback: If blank and Redis rate limiting is enabled, the backend falls back to RQ_REDIS_URL.

TRUSTED_PROXIES

  • Default: (blank)
  • Purpose: Comma-separated list of trusted reverse-proxy IPs or CIDRs used to honor Forwarded / X-Forwarded-For client IP headers.
  • Gotcha: Leave this blank unless the direct peer is a proxy you control.

Security response headers

These environment variables control security headers added to every API response. Set any variable to blank ("") to disable the corresponding header.

SECURITY_HEADER_X_CONTENT_TYPE_OPTIONS

  • Default: nosniff
  • Purpose: Prevents browsers from MIME-type sniffing responses.

SECURITY_HEADER_X_FRAME_OPTIONS

  • Default: DENY
  • Purpose: Prevents the API from being embedded in iframes.
  • Note: If your deployment embeds the API in an iframe, set this to SAMEORIGIN or blank.

SECURITY_HEADER_REFERRER_POLICY

  • Default: strict-origin-when-cross-origin
  • Purpose: Controls how much referrer information is sent with requests.

SECURITY_HEADER_PERMISSIONS_POLICY

  • Default: (blank — disabled)
  • Purpose: Restricts browser features (camera, microphone, etc.) when set.
Reference in New Issue View Git Blame Copy Permalink