vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: clarify trusted-host assumption for tokenless tailscale

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 12:52:45 +01:00
parent fbb79d4013
commit ede496fa1a
9 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/gateway/security/index.md
View File

@@ -528,6 +528,11 @@ and matching it to the header. This only triggers for requests that hit loopback
and include `x-forwarded-for`, `x-forwarded-proto`, and `x-forwarded-host` as
injected by Tailscale.
**Trust assumption:** tokenless Serve auth assumes the gateway host is trusted.
Do not treat this as protection against hostile same-host processes. If untrusted
local code may run on the gateway host, disable `gateway.auth.allowTailscale`
and require token/password auth.
**Security rule:** do not forward these headers from your own reverse proxy. If
you terminate TLS or proxy in front of the gateway, disable
`gateway.auth.allowTailscale` and use token/password auth (or [Trusted Proxy Auth](/gateway/trusted-proxy-auth)) instead.