[Security] Baseline hardening: headers, CI scanning, and local assets

[unisone]

Summary

Following the CLAWDINATOR guidance to open an issue first before submitting security-related PRs. This proposal bundles 4 complementary security hardening improvements that reduce supply-chain and runtime risks.

Motivation

OpenClaw has 500k+ lines of code across multiple platforms with browser automation, command execution, and WebSocket control plane. While the project already has excellent security foundations (detect-secrets, openclaw security audit, loopback-by-default), there are baseline gaps that could be closed with minimal risk:

1. Remote asset dependency (Control UI loads SVG from external CDN)
2. Missing HTTP security headers (no baseline CSP/XFO/nosniff on gateway responses)
3. Unused security tooling configs (actionlint + zizmor configs exist but aren't enforced in CI)
4. No dependency vulnerability scanning (no CodeQL or dependency-review in CI)

Proposed Changes

Phase 1: Supply Chain Hardening (docs + CI)

1. Localize Control UI logo asset (addresses #5170)

• Replace hardcoded mintcdn.com SVG URL with bundled local asset
• PR reference: #6166 (closed), #6161 (alternative implementation)
• Risk reduced: Removes external CDN dependency that could be compromised

2. Wire up existing CI security configs

• Add .github/workflows/actionlint.yml (uses existing .github/actionlint.yaml)
• Add .github/workflows/zizmor.yml (uses existing zizmor.yml)
• PR reference: #6194 (closed, CI was fixed)
• Risk reduced: Catches workflow security footguns and misconfigurations

Phase 2: Runtime + Dependency Hardening

3. Add baseline HTTP security headers

• Add conservative headers to gateway HTTP responses: X-Content-Type-Options: nosniff, Referrer-Policy, X-Frame-Options: SAMEORIGIN, Permissions-Policy
• Intentionally scoped to be safe for both Control UI and API routes
• PR reference: #6171 (closed, had review feedback incorporated)
• Risk reduced: Reduces clickjacking, content-sniffing, and feature abuse surface

4. Add dependency scanning

• Add .github/workflows/dependency-review.yml (GitHub official action)
• Add .github/workflows/codeql.yml (JavaScript/TypeScript analysis)
• PR reference: #6195 (closed, CI was green)
• Risk reduced: Catches vulnerable dependencies and common insecure code patterns

Implementation Notes

• All changes are additive - no breaking changes to existing functionality
• Minimal permissions - CI workflows use contents: read only (CodeQL needs security-events: write)
• Follows existing patterns - Uses same action versions and config styles as current CI
• Tested - All PRs were validated with pnpm build, pnpm lint, and targeted tests

Request for Maintainers

@steipete (or active maintainers) - would you be open to these 4 hardening PRs? If yes, I can:

1. Re-open each PR individually with reference to this issue
2. Or combine into a single "security hardening bundle" PR if preferred
3. Or adjust scope based on your feedback

The goal is to reduce "death by a thousand cuts" security risks while keeping the PRs small and reviewable.

References

• Security docs: https://docs.openclaw.ai/gateway/security
• Related issue: [Bug]: Possible security problem with the .svg file #5170 (remote SVG)
• Closed PRs with full implementation: security(ui): remove remote mintcdn asset reference #6166, security(gateway): add baseline HTTP security headers #6171, ci(security): add actionlint + zizmor workflows #6194, ci(security): add dependency review + CodeQL #6195

[Artyomkun]

Comment:

This is a perfect example of proactive security architecture — fixing multiple small risks before they become big problems.

Same pattern as:

• [Bug]: OpenAI-compatible custom providers lose streaming usage data, causing zero session tokens and unknown dashboard usage #49753 — streaming usage lost (data boundary)
• [Bug]: message:sent hooks not work #49765 — hooks work only twice (state boundary)
• [Bug]: MS Teams File Upload via CLI #49784 — file upload missing state (state boundary)

The approach:

Small, additive, non-breaking changes that together close real attack surfaces.

• ✅ No CDN dependency
• ✅ CI catches workflow issues
• ✅ HTTP headers prevent common attacks
• ✅ Dependency scanning catches vulnerabilities

This is how you build security into the architecture, not bolt it on later.

Thanks for bundling them — makes review easier. 🔧

[steipete]

Closing this as implemented after Codex review.

Current main already implements the requested hardening bundle, though not always with the exact workflow/file split proposed in the issue. The Control UI logo is local, gateway responses now get baseline security headers with stricter Control UI headers on top, and CI already enforces actionlint/zizmor plus CodeQL and dependency auditing.

What I checked:

• Local Control UI asset: agentLogoUrl now resolves to the bundled favicon.svg, and the asset exists in-repo. (ui/src/ui/views/agents-utils.ts:243, cec34821754a)
• Baseline gateway security headers: server-http applies setDefaultSecurityHeaders to HTTP requests, and that helper sets X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. (src/gateway/server-http.ts:900, cec34821754a)
• Control UI hardening headers: Control UI responses additionally set X-Frame-Options: DENY and a CSP, with tests asserting those headers. (src/gateway/control-ui.ts:142, cec34821754a)
• CI enforces actionlint and zizmor: workflow-sanity.yml runs actionlint, and ci.yml audits changed workflows with zizmor. (.github/workflows/workflow-sanity.yml:52, cec34821754a)
• Dependency/security scanning is present: A dedicated CodeQL workflow exists, and main CI also runs production dependency auditing. (.github/workflows/codeql.yml:1, cec34821754a)
• Shipped release proof: The same hardening paths are present in release tag v2026.4.22, so this is not just unreleased main state. (00bd2cf7a376)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against cec34821754a; fixed evidence: release v2026.4.22, commit 00bd2cf7a376.