OpenClaw Codex

Article

What Never Goes Public: Sanitization Red Lines

Most incidents come from accidental disclosure, not advanced attacks. Public sites must enforce strict content boundaries.

Never Publish

  • Tokens, API keys, webhook secrets, refresh credentials.
  • Device bindings, exported sessions, raw payloads, user messages.
  • Server IPs, internal hostnames, ports, real paths, service unit names.
  • Full logs containing stack traces, headers, and env fragments.

How to Write Safely

  • Use placeholders: <TOKEN>, <API_KEY>, <HOST>.
  • Publish schema and constraints, not real values.
  • Keep snippets minimal and replaceable.

Web-Side Hardening

  • Unknown paths should return 404, not homepage 200.
  • Block internal artifacts (/ops/, /logs/, /.git/).
  • Do not keep audit outputs under public web root.

Pre-Publish Scan

  • Search for token, key, secret, Authorization, Cookie.
  • Check screenshots for address bars, logs, and private hosts.
  • Verify no accidental uploads (.env, configs, backups).