OpenClaw Production Security Hardening Guide (2026)
OpenClaw makes it easy to orchestrate agents, but in production the threat model shifts: prompt injection, sandbox escapes, leaked API keys, and exposed browser ports can all burn you. This guide is the practical hardening playbook I use when shipping OpenClaw to real environments. It favors least privilege, fast wins first, and clear rollback steps.
TL;DR Checklist
- Patch + reboot regularly (unattended-upgrades, weekly reboot window); compare your host to the CIS hardening baseline.
- SSH keys only, root login off, fail2ban on; ufw allow 22/tcp, block 18800 from the internet (bind CDP to 127.0.0.1 only).
- In
openclaw.json:sandbox.modeon,dmPolicy/groupPolicy= allowlist,tools.profile= minimal,lossless_claw+context_enginetrue. - Gateway: headless Chrome,
--remote-debugging-address=127.0.0.1,--no-sandbox, no public CDP exposure, per-profile directories. - Secrets: env files
chmod 600, no secrets in prompts, separate staging/prod OAuth, rotate quarterly or after incidents. - Monitoring: auditd + OpenClaw logs shipped to ELK/Grafana; alert on elevated exec, model/tool error spikes, or gateway restarts.
- Backups: snapshot agentDir + configs; test restore monthly; incident playbook ready.
1) Baseline Host Hardening (Ubuntu 22.04)
Keep the OS boring and patched.
– Patching: sudo apt install unattended-upgrades && sudo dpkg-reconfigure unattended-upgrades; log reboots and patch windows. Reboot weekly so kernel fixes land.
– Accounts: disable password auth and root login in /etc/ssh/sshd_config; use SSH keys only; keep a break-glass user with a distinct key.
– Fail2ban: enable the sshd jail; set bantime >= 1h; send bans to syslog so they get shipped with other logs.
– Firewall (ufw):
– ufw default deny incoming, ufw default allow outgoing.
– Allow: ufw allow 22/tcp (or your SSH port).
– Deny/loopback: CDP/Chrome port 18800 must stay on 127.0.0.1 (do not open to WAN). Verify with ss -ltnp | grep 18800.
– System protections: set fs.protected_symlinks=1, fs.protected_hardlinks=1, and kernel.unprivileged_bpf_disabled=1 in /etc/sysctl.d/99-openclaw.conf; sysctl --system after changes.
– Time + logs: ensure chrony or systemd-timesyncd is running; keep logrotate sane to avoid disk pressure.
– File integrity: optional AIDE/Tripwire on /etc, /home/*/.openclaw, and gateway service files so drift is detectable.
– Baseline: map your controls to the CIS Benchmarks for AI Agent Hosts (Ubuntu 22.04) so you know what “good” looks like.
2) OpenClaw Runtime Hardening
Agents must be isolated by design.
– Defaults: dmPolicy: allowlist, groupPolicy: allowlist, sandbox: { mode: "on" }, tools.profile: "minimal", features: { lossless_claw: true, context_engine: true }.
– Isolation: never share agentDir between agents; forbid cross-agent reads/writes; keep per-agent env files and per-agent Chrome profiles.
– Secrets hygiene: keep secrets out of prompts and SKILL.md; inject via env; redact tokens in logs; rotate stale env files.
– Model safety: avoid dropping credentials or internal URLs into prompts; prefer local/cheap models for drafts to limit API exposure; reserve higher-trust models for publishing or exec requests.
– Drift detection: add a heartbeat that re-applies the defaults above if they ever flip; log and alert when drift is detected.
– Artifact hygiene: clear old browser profiles after crashes; prune temp files; keep only required tools enabled in tools.profile.
– Exec gating: require explicit approvals for elevated commands; log every exec attempt and alert on anything outside the allowlist.
– Blast radius: keep agents single-purpose; avoid long-lived monolith agents that mix publishing, billing, and scraping; smaller agents make auditing and containment simpler.
3) Gateway and Browser Security
Chrome/CDP is a major attack surface. Lock it down.
– Run gateway headless with sandbox disabled but tightly bound: --headless=new --no-sandbox --remote-debugging-address=127.0.0.1 --remote-debugging-port=18800.
– Never expose CDP publicly; if you need remote access, tunnel over SSH: ssh -L 18800:127.0.0.1:18800 user@host.
– Profiles: keep separate Chrome profiles per agent to avoid cookie/token bleed; clear profiles on crashes; store them under each agent’s workspace.
– Service management: ensure openclaw gateway status is green; restart applies new flags; bake flags into your systemd unit.
– Validation: after every deploy run nmap -sV localhost to confirm only intended ports are open and CDP is loopback-only.
– Browser extensions: avoid persistent extensions unless audited; clear extension state between runs to prevent data bleed.
– Follow the upstream OpenClaw Gateway Hardening Guide for flag defaults and troubleshooting.
4) Credential and Secrets Management
Treat every key as toxic waste.
– Segmentation: separate staging vs prod credentials and OAuth profiles; never reuse refresh tokens across agents or environments.
– Storage: put secrets in env files with chmod 600; avoid storing tokens in git or prompts; enable secret scanning on your repo.
– Vaulting: if you have a team, store secrets in Vault/KMS/sops with per-service ACLs; keep rotation dates and owners in a simple ledger.
– Rotation: quarterly or after any incident; rotate AI provider keys faster if exposed; remove unused keys immediately.
– Patterns: prefer short-lived tokens; scope credentials to the minimum API set; avoid wildcard OAuth scopes.
– Reference: HashiCorp’s Vault best practices for AI agents covers good defaults for transient keys.
5) OpenClaw Configuration Checklist
Baseline security knobs inside OpenClaw.
– openclaw.json should include:
– sandbox.mode: "on"
– dmPolicy: "allowlist", groupPolicy: "allowlist"
– tools.profile: "minimal"
– features.lossless_claw: true, features.context_engine: true
– Sample config block to diff against during audits:
{
"dmPolicy": "allowlist",
"groupPolicy": "allowlist",
"sandbox": {"mode": "on"},
"tools": {"profile": "minimal"},
"features": {"lossless_claw": true, "context_engine": true}
}
- Verification: run
jq '.dmPolicy, .sandbox.mode, .tools.profile' /home/USER/.openclaw/openclaw.jsonafter deploys; alert if values drift. - Heartbeats/cron: add a drift detector that reloads configs and re-applies these values if changed.
- Model routing: keep high-risk actions on safer models; inject API keys via env, not prompts; log model/tool errors and alert on spikes.
- Agent creation: enforce least privilege defaults on every new agent; forbid touching other agent workspaces by policy.
6) Network & Data Egress Controls
Reduce where data can go.
– Outbound allowlist where feasible (ufw/iptables); at minimum block known bad ranges and restrict to required APIs.
– Keep browser traffic confined to the gateway and localhost CDP; avoid exposing --remote-debugging-port to 0.0.0.0.
– DNS/Proxy: consider DoH if policy requires; pin resolvers you trust; log DNS queries for anomaly detection.
– Data exfil prevention: scrub PII from prompts; avoid uploading raw customer data; apply content filters if available; restrict file upload skills to specific hosts.
– Egress logging: mirror firewall logs to your SIEM; alert on new outbound destinations or large POST bodies from non-publishing agents.
– Proxies: if you must proxy browser traffic, terminate TLS with trusted certs and pin your CA; block unknown MIME types and downloads by default.
7) Monitoring, Logging, and Alerting
You can’t fix what you don’t see.
– Collect: OpenClaw agent logs, gateway logs, auditd, syslog, journal, fail2ban, and firewall events; ship to ELK/Grafana/CloudWatch with per-agent tags.
– Alerts: spikes in tool errors, repeated denied commands, unexpected exec attempts, gateway restarts, CDP bind failures, and failed drifts checks. Add SLOs for error rate and publish latency so anomalies trigger early.
– Health probes: add heartbeat tasks that assert sandbox.mode is on, CDP is loopback-bound, and lossless_claw/context_engine are enabled; alert on any flip.
– Metrics to watch: CPU/RAM per agent, disk usage on browser profiles, HTTP 5xx from models, and saturation on your firewall or proxy.
– Periodic checks: nmap -sV localhost weekly; dependency updates review monthly; verify log shipping is green after restarts; run spot audits against OWASP Top 10 for LLM Applications (2026).
8) Incident Response & Backup
Have a playbook before you need it.
– Containment: revoke tokens, disable affected agents, rotate OAuth credentials, and cut CDP tunnels if abuse is suspected.
– Preservation: copy logs and audit trails before cleanup; keep at least 30 days of compressed logs; snapshot affected browsers before wiping.
– Recovery: restore from known-good snapshots of agentDir and configs; test restores monthly so backups are proven; keep RTO/RPO targets visible so you know when to escalate.
– Post-incident: add heartbeat rules to catch the specific class of failure (e.g., sandbox drift, CDP exposure); document the timeline and the fix; schedule a tabletop review to rehearse the response.
9) Production Launch Checklist (Printable)
Use this before you expose any production data:
– [ ] OS patched, rebooted within 7 days; CIS hardening gaps addressed.
– [ ] SSH keys only, fail2ban active, ufw default deny, 18800 not exposed; CDP bound to localhost.
– [ ] openclaw.json matches security defaults; lossless_claw/context_engine enabled; drift detector running.
– [ ] Gateway bound to 127.0.0.1 with headless Chrome flags; profiles separated per agent.
– [ ] Secrets in env files (600), staging/prod separated; rotation dates recorded; no secrets in prompts or git.
– [ ] Monitoring + alerts wired; log shipping verified; health probes for sandbox/CDP/model errors live.
– [ ] Backups tested; incident playbook printed or stored with access; restore drill completed.
– [ ] Pen-test the surface: attempt prompt injection against a staging agent, run nmap -sV localhost, and confirm CDP remains loopback-only.
– [ ] Share the runbook with on-call engineers and keep a printed copy for when SSH is down.
10) FAQ
Can I expose the browser CDP port? No—bind to localhost and tunnel if needed.
How do I use local models safely? Keep them isolated (e.g., Ollama in its own user), set resource limits, and follow the same sandbox + network controls.
What about multi-tenant use? Use separate VMs/containers and separate OAuth profiles; never let tenants share agentDir or CDP sessions; log per-tenant actions.
How does this map to LLM security risks? Align your mitigations with the OWASP Top 10 for LLM Applications (2026) so prompt injection, data leaks, and model abuse are explicitly covered.
Do I ever need root-level agents? Almost never. Keep agents unprivileged; when you must run elevated commands, gate them behind explicit approvals, short-lived sudo tokens, and detailed audit logs.
How do I quickly check for accidental CDP exposure? From a remote host run nmap -p 18800 TARGET_IP. It should be closed. Locally, ss -ltnp | grep 18800 should show 127.0.0.1 only.
Related Guides
- OpenClaw security hardening checklist
- OpenClaw VPS setup
- OpenClaw multi-model routing setup
- OpenClaw embed strategy
- OpenClaw vs Alternatives 2026
Conclusion
Security is a process, not a toggle. Start with the defaults above, automate drift detection, and schedule monthly hardening reviews. Your agents stay useful only as long as they stay contained.
