NC-AUTH-001
Reverse proxy trust correctly configured
What this checks
Checks that trusted proxies are configured when the gateway binds to loopback.
Why it matters
Without trusted proxy configuration, client IP headers can be spoofed, bypassing local-client security checks.
How to fix it
Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only. See: https://clawvitals.io/docs/NC-AUTH-001
Technical details
| Field | Value |
|---|---|
| Control ID | NC-AUTH-001 |
| Domain | AUTH |
| Severity | High |
| Status | Stable |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
False positive notes
Expected on loopback-only installs that don't use a reverse proxy. Consider exclusion if intentional.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-AUTH-001 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.