⚠️ CRITICAL SECURITY GUIDE
5-Step OpenClaw Hardening Guide
Over 30,000 OpenClaw instances are currently exposed to the public internet. Secure your AI gateway in 5 essential steps.
1
Move Away from auth: none
The most dangerous configuration is auth: none.
Never Do This:
# DANGEROUS! Anyone can access your instance
gateway:
host: "0.0.0.0"
port: 18789
auth: none
Copied!
Do This Instead:
# Use API key authentication
gateway:
host: "0.0.0.0"
port: 18789
auth:
method: "api_key"
api_key: "${OPENCLAW_API_KEY}"
Copied!
2
Bind to Localhost
Never expose OpenClaw directly to the internet.
# Bind to localhost only
gateway:
host: "127.0.0.1"
port: 18789
auth:
method: "api_key"
api_key: "${OPENCLAW_API_KEY}"
Copied!
3
Use Tailscale for Network Isolation
Tailscale creates a secure private network. Only devices in your Tailnet can access OpenClaw.
Install Tailscale:
# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
# Authenticate
sudo tailscale up
# Get your Tailscale IP
tailscale ip -4
Copied!
Configure OpenClaw for Tailscale:
# Use Tailscale IP
gateway:
host: "100.x.x.x"
port: 18789
auth:
method: "tailscale"
Copied!
4
Enable Rate Limiting
Prevent abuse and DoS attacks.
# Configure rate limits
gateway:
rate_limit:
enabled: true
requests_per_minute: 60
burst: 10
Copied!
5
Set Up Monitoring
Implement comprehensive logging and alerts.
# Enable audit logging
logging:
level: "info"
audit:
enabled: true
# Configure alerts
alerts:
enabled: true
rules:
- name: "Multiple auth failures"
condition: "auth_failures > 5 in 1m"
action: "notify"
Copied!
Security Checklist
Authentication
- Disabled auth: none
- Using API keys or JWT
- Environment variables for secrets
Network Security
- Bound to localhost or Tailscale
- TLS/SSL enabled
- Firewall configured