Security Configuration
此内容尚不支持你的语言。
Security Best Practices
Section titled “Security Best Practices”1. API Key Protection
Section titled “1. API Key Protection”Never commit API keys to version control:
.env*.pem*.keyUse environment variables:
export ANTHROPIC_API_KEY=sk-ant-xxxxx2. Webhook Verification
Section titled “2. Webhook Verification”Always verify webhook signatures:
# Telegramimport hmacdef verify_telegram_webhook(token, data, signature): secret = hashlib.sha256(token.encode()).digest() return hmac.compare_digest( hmac.new(secret, data, hashlib.sha256).hexdigest(), signature )3. Rate Limiting
Section titled “3. Rate Limiting”Prevent abuse with rate limits:
RATE_LIMIT_ENABLED=trueRATE_LIMIT_REQUESTS=60 # requests per windowRATE_LIMIT_WINDOW=60 # window in secondsRATE_LIMIT_BY=user # user, ip, or channel4. User Allowlists
Section titled “4. User Allowlists”Restrict access to specific users:
# TelegramTELEGRAM_ALLOWED_USERS=123456789,987654321
# WhatsAppWHATSAPP_ALLOWED_NUMBERS=+1234567890
# DiscordDISCORD_ALLOWED_GUILDS=1234567895. Firewall Configuration
Section titled “5. Firewall Configuration”# Only allow necessary portssudo ufw allow 22/tcp # SSHsudo ufw allow 443/tcp # HTTPS (webhooks)sudo ufw enableEncryption
Section titled “Encryption”Data at Rest
Section titled “Data at Rest”Encrypt sensitive data:
# Enable encryption for stored sessionsENCRYPTION_ENABLED=trueENCRYPTION_KEY=your_32_byte_key_hereData in Transit
Section titled “Data in Transit”- Use HTTPS for all webhooks
- Claude API uses TLS by default
Audit Logging
Section titled “Audit Logging”Enable comprehensive logging:
LOG_LEVEL=INFOLOG_FILE=/var/log/clawdbot/audit.logLOG_FORMAT=jsonLOG_INCLUDE_USER=true