The Security Checklist
1
Don't Expose Ports Publicly
Never expose OpenClaw's web interface or API to the public internet without protection.
- • Use a VPN for remote access
- • Configure IP allowlists if cloud-hosted
- • Use SSH tunnels for admin access
2
Enable Authentication
Add strong authentication to any web interfaces or APIs.
openclaw config set auth.enabled true3
Use Strong Secrets
Generate strong, unique passwords and API keys. Never use defaults.
- • Use a password manager
- • Generate 32+ character random strings for API keys
- • Never commit secrets to git
4
Enable TLS/HTTPS
All traffic should be encrypted. Use Let's Encrypt for free certificates.
openclaw config set tls.enabled true5
Rotate Keys Regularly
API keys and OAuth tokens should be rotated periodically.
- • Rotate Anthropic API key monthly
- • Re-authorize OAuth integrations quarterly
- • Revoke unused tokens immediately
6
Set Rate Limits
Prevent abuse and runaway costs with rate limiting.
openclaw config set ratelimit.requests_per_minute 607
Enable Logging & Alerts
Monitor for suspicious activity and set up alerts.
- • Log all API requests
- • Alert on failed authentication attempts
- • Monitor for unusual usage patterns
Common Vulnerabilities We See
Exposed Web Interface
OpenClaw running on port 3000 accessible from the internet. Anyone can send commands.
API Keys in Git
Anthropic API keys committed to public repositories. Bots scan for these constantly.
No Authentication
Default installation with no auth enabled. Anyone with the URL can access.