Reverse proxy trust correctly configured
What this checks
Checks that trusted proxies are configured when the gateway binds to loopback.
Why it matters
Without trusted proxy configuration, client IP headers can be spoofed, bypassing local-client security checks.
How to fix it
Decide which path applies to you:
Path A You do use a reverse proxy (nginx, Caddy, Cloudflare Tunnel, Tailscale funnel, etc.) in front of the OpenClaw Control UI.
Find your proxy's outbound IP (the IP it uses to forward requests to OpenClaw), then add it to your config:
gateway:
trustedProxies:
- 127.0.0.1 # localhost proxy (nginx/Caddy on same machine)
- 192.168.1.1 # LAN proxy
- 100.x.x.x # Tailscale IP of your proxy nodeThis tells OpenClaw to trust X-Forwarded-For headers from those IPs so real client IPs are used in access checks.
Path B You do NOT use a reverse proxy. The Control UI is strictly localhost-only and never exposed externally. Set an explicit empty list to document the intent and silence the finding:
gateway:
trustedProxies: []Step 2 Restart the gateway to apply the change:
openclaw gateway restartStep 3 Verify: Re-run openclaw security audit --json and confirm gateway.trusted_proxies_missing no longer appears in findings.
Technical details
| Field | Value |
|---|---|
| Control ID | NC-AUTH-001 |
| Domain | AUTH |
| Severity | High |
| Status | Stable |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
False positive notes
Expected on loopback-only installs that don't use a reverse proxy. Consider exclusion if intentional.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-AUTH-001 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.