github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-03 03:03:24 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(browser): require auth on control HTTP and auto-bootstrap token

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-13 02:01:57 +01:00
parent 85409e401b
commit 9230a2ae14
11 changed files with 634 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/tools/browser.md
View File

@@ -192,6 +192,7 @@ Notes:
Key ideas:
- Browser control is loopback-only; access flows through the Gateways auth or node pairing.
- If browser control is enabled and no auth is configured, OpenClaw auto-generates `gateway.auth.token` on startup and persists it to config.
- Keep the Gateway and any node hosts on a private network (Tailscale); avoid public exposure.
- Treat remote CDP URLs/tokens as secrets; prefer env vars or a secrets manager.
@@ -315,6 +316,11 @@ For local integrations only, the Gateway exposes a small loopback HTTP API:
All endpoints accept `?profile=<name>`.
If gateway auth is configured, browser HTTP routes require auth too:
- `Authorization: Bearer <gateway token>`
- `x-openclaw-password: <gateway password>` or HTTP Basic auth with that password
### Playwright requirement
Some features (navigate/act/AI snapshot/role snapshot, element screenshots, PDF) require