Clawctl
Security Check

CORS / Origin Policy: Prevent Cross-Site Attacks

The Control UI uses WebSocket connections. The allowedOrigins setting controls which browser origins can establish these connections. A wildcard "*" allows any website.

Why It Matters

With a wildcard origin, any website you visit could silently connect to your OpenClaw gateway in the background. This enables cross-site request forgery and data exfiltration through your browser.

How to Fix

Set gateway.controlUi.allowedOrigins to your specific domain(s). Remove any wildcard entries and the dangerouslyAllowHostHeaderOriginFallback flag.

openclaw.json
{
  "gateway": {
    "controlUi": {
      "allowedOrigins": ["https://your-domain.com"]
    }
  }
}

Check your config for this vulnerability

The free scanner tests this and 11 other security checks.

Skip the hardening

Clawctl manages all 12 security checks automatically. Enterprise defaults, zero config.