Do Not Allow Insecure Authentication
Exercise caution when configuring whether to allow token-based login to the Web UI over HTTP. If this option is set to true, tokens and communication content will be transmitted in plaintext, making them vulnerable to eavesdropping. The default value of this option is false. If access is limited to the local host, retain the default setting. If public network access is required, configure a certificate and enable HTTPS to ensure communication security.
Procedure
Disable authentication over plaintext HTTP at the OpenClaw gateway:
openclaw config set gateway.controlUi.allowInsecureAuth false
Parent topic: Automated Configuration Items