1.7 KiB
1.7 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| Latest release | ✅ |
| Older releases | ❌ |
We recommend always running the latest version of PinchChat.
Security Model
PinchChat is a static frontend that connects to your OpenClaw gateway via WebSocket. Key security properties:
- No server-side code — PinchChat is a pure client-side SPA served as static files
- Runtime authentication — gateway URL and token are entered at login and stored in
localStorage, never baked into the build - No secrets in the image — the Docker image contains only static assets; credentials are provided at runtime
- No telemetry — PinchChat does not phone home, collect analytics, or send data to third parties
Token Handling
- The gateway token is stored in the browser's
localStorage - It is transmitted only over the WebSocket connection to your gateway
- Logging out clears the token from storage
- If you serve PinchChat over the network, use HTTPS to protect the token in transit
Recommendations
- Always use
wss://(WebSocket over TLS) in production - Restrict gateway access to trusted networks or use a reverse proxy with authentication
- Rotate your OpenClaw gateway token periodically
- Do not share your browser's
localStoragedata
Reporting a Vulnerability
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Email contact@nicolasvarrot.fr with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- You will receive a response within 72 hours
We appreciate responsible disclosure and will credit reporters (unless they prefer anonymity).