The Complete Security Checklist for OpenClaw Deployments

8 min read|2026-02-18|by Agent14

Deploying OpenClaw to production without proper security configuration is like leaving your front door open. Here is a comprehensive checklist to lock things down.

HTTP Security Headers

These headers should be set on every response:

Strict-Transport-Security: Force HTTPS with `max-age=31536000; includeSubDomains`

Content-Security-Policy: Restrict resource loading to trusted origins

X-Frame-Options: Set to `DENY` to prevent clickjacking

X-Content-Type-Options: Set to `nosniff`

Referrer-Policy: Use `strict-origin-when-cross-origin`

Rate Limiting

Every public API endpoint should have rate limits:

Authentication endpoints: 5 requests per minute per IP

API endpoints: 100 requests per minute per user

Public endpoints: 1000 requests per minute per IP

CORS Configuration

Never use * for allowed origins in production. Explicitly list your domains:

yaml

cors:
  origins:
    - https://yourdomain.com
    - https://app.yourdomain.com
  methods: [GET, POST, PUT, DELETE]
  credentials: true

Secrets Management

Never commit secrets to version control

Use environment variables or a secrets manager (Vault, AWS Secrets Manager)

Rotate secrets on a regular schedule (every 30-90 days)

Use different secrets for each environment

Authentication

Enforce strong passwords (minimum 8 characters, mixed case, numbers)

Implement MFA for admin accounts

Use short-lived JWT tokens (15 minutes) with refresh tokens

Invalidate sessions on password change

Quick Start

Our Security Hardened bundle includes all of these configurations pre-built. Download it, customize the domains and secrets, and deploy.

Ready to get your configs right?

Browse production-ready bundles or generate a custom config.

Browse Bundles Try Generator