Security Guide
10 steps to a locked-down AI assistant deployment. Do these once and you're protected.
Generate a random 64-character string using openssl rand -hex 32 and set it as your GATEWAY_TOKEN.
Use Caddy or nginx with Let's Encrypt to encrypt all traffic to your OpenClaw instance.
Run ufw allow 22/tcp, ufw allow 80/tcp, ufw allow 443/tcp, then ufw enable.
Install unattended-upgrades and configure it to apply security patches automatically.
Store API keys and tokens in .env files with chmod 600 permissions, not in config files.
Install fail2ban to block IP addresses after repeated failed SSH login attempts.
Configure your hosting provider's network firewall in addition to the server-level firewall.
Set a calendar reminder to regenerate your GATEWAY_TOKEN and AI provider API keys quarterly.
Review /var/log/auth.log and OpenClaw access logs for unauthorized access attempts.
Turn on two-factor authentication on your Hostinger, DigitalOcean, or Hetzner account.
Yes — it's open source and self-hosted. You can audit every line of code, and all data stays on your server.
No — these 10 steps take under an hour and require no prior sysadmin experience.
The biggest risk is a weak or exposed API token. Set a strong one before going live.
Ready to deploy securely? Hostinger KVM 2 includes a pre-configured firewall and 1-click OpenClaw deploy — $6.99/mo with 30-day money back.
Get Hostinger VPS →