From 808a60d3bdf8b7436e836525d74c4c6dafc38dd8 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Thu, 19 Feb 2026 14:25:34 +0100
Subject: [PATCH] docs: clarify intentional network-visible canvas model in
 security policy

---
 SECURITY.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 63440837047..c64b1ef99cb 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -68,6 +68,10 @@ OpenClaw's web interface (Gateway Control UI + HTTP endpoints) is intended for *
 - Recommended: keep the Gateway **loopback-only** (`127.0.0.1` / `::1`).
   - Config: `gateway.bind="loopback"` (default).
   - CLI: `openclaw gateway run --bind loopback`.
+- Canvas host note: network-visible canvas is **intentional** for trusted node scenarios (LAN/tailnet).
+  - Expected setup: non-loopback bind + Gateway auth (token/password/trusted-proxy) + firewall/tailnet controls.
+  - Expected routes: `/__openclaw__/canvas/`, `/__openclaw__/a2ui/`.
+  - This deployment model alone is not a security vulnerability.
 - Do **not** expose it to the public internet (no direct bind to `0.0.0.0`, no public reverse proxy). It is not hardened for public exposure.
 - If you need remote access, prefer an SSH tunnel or Tailscale serve/funnel (so the Gateway still binds to loopback), plus strong Gateway auth.
 - The Gateway HTTP surface includes the canvas host (`/__openclaw__/canvas/`, `/__openclaw__/a2ui/`). Treat canvas content as sensitive/untrusted and avoid exposing it beyond loopback unless you understand the risk.