Clawctl
Security Check

Gateway Bind Address: Control Your Attack Surface

By default, OpenClaw binds to loopback (127.0.0.1), making it accessible only from the local machine. Changing this to "lan" or "custom" exposes the gateway to the network.

Why It Matters

A network-exposed gateway without authentication is discoverable by network scanners. Security researchers have found hundreds of thousands of exposed OpenClaw instances online. Keep it loopback-only or secure it with strong auth.

How to Fix

Keep gateway.bind as "loopback" (the default). If you need remote access, use an SSH tunnel or Tailscale instead of exposing the port directly.

openclaw.json
{
  "gateway": {
    "bind": "loopback"
  }
}

Check your config for this vulnerability

The free scanner tests this and 11 other security checks.

Skip the hardening

Clawctl manages all 12 security checks automatically. Enterprise defaults, zero config.