vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 04:30:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden sandbox browser network defaults

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 14:01:40 +01:00
parent cf82614259
commit f48698a50b
19 changed files with 224 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/install/docker.md
View File

@@ -495,6 +495,8 @@ Notes:
- Headful (Xvfb) reduces bot blocking vs headless.
- Headless can still be used by setting `agents.defaults.sandbox.browser.headless=true`.
- No full desktop environment (GNOME) is needed; Xvfb provides the display.
- Browser containers default to a dedicated Docker network (`openclaw-sandbox-browser`) instead of global `bridge`.
- Optional `agents.defaults.sandbox.browser.cdpSourceRange` restricts container-edge CDP ingress by CIDR (for example `172.21.0.1/32`).
- noVNC observer access is password-protected by default; OpenClaw provides a short-lived observer token URL instead of sharing the raw password in the URL.
Use config: