Clawctl
Security Check

Control UI Device Auth: Browser Access Control

The Control UI is OpenClaw's web-based management interface. By default, it requires a secure context (HTTPS/localhost) and device identity verification.

Why It Matters

Disabling device auth (dangerouslyDisableDeviceAuth) allows any browser to access the Control UI without verification. Combined with network exposure, this gives attackers a complete management interface.

How to Fix

Remove dangerouslyDisableDeviceAuth and allowInsecureAuth flags. Access the Control UI only via localhost or a secure tunnel.

openclaw.json
{
  "gateway": {
    "controlUi": {
      "enabled": true
    }
  }
}

Check your config for this vulnerability

The free scanner tests this and 11 other security checks.

Skip the hardening

Clawctl manages all 12 security checks automatically. Enterprise defaults, zero config.