Files
PinchChat/SECURITY.md

1.7 KiB

Security Policy

Supported Versions

Version Supported
Latest release
Older releases

We recommend always running the latest version of PinchChat.

Security Model

PinchChat is a static frontend that connects to your OpenClaw gateway via WebSocket. Key security properties:

  • No server-side code — PinchChat is a pure client-side SPA served as static files
  • Runtime authentication — gateway URL and token are entered at login and stored in localStorage, never baked into the build
  • No secrets in the image — the Docker image contains only static assets; credentials are provided at runtime
  • No telemetry — PinchChat does not phone home, collect analytics, or send data to third parties

Token Handling

  • The gateway token is stored in the browser's localStorage
  • It is transmitted only over the WebSocket connection to your gateway
  • Logging out clears the token from storage
  • If you serve PinchChat over the network, use HTTPS to protect the token in transit

Recommendations

  • Always use wss:// (WebSocket over TLS) in production
  • Restrict gateway access to trusted networks or use a reverse proxy with authentication
  • Rotate your OpenClaw gateway token periodically
  • Do not share your browser's localStorage data

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly:

  1. Do NOT open a public issue
  2. Email contact@nicolasvarrot.fr with:
    • A description of the vulnerability
    • Steps to reproduce
    • Potential impact
  3. You will receive a response within 72 hours

We appreciate responsible disclosure and will credit reporters (unless they prefer anonymity).