GoClaw's 5-Layer Security Architecture Explained
GoClaw's 5-Layer Security Architecture
Security is not an afterthought in GoClaw — it is the foundation. This post explains each of the five security layers.
Layer 1: Rate Limiting
Every API endpoint is protected by a configurable rate limiter using a sliding window algorithm.
ratelimit.New(ratelimit.Config{
Max: 100,
Expiration: time.Minute,
KeyGenerator: func(c *fiber.Ctx) string {
return c.Get("X-Tenant-ID")
},
})
Layer 2: SQL Injection Detection
GoClaw scans all LLM-generated tool arguments for SQL injection patterns before execution.
This layer specifically addresses CVE-2026-25253, a critical injection vulnerability found in OpenClaw.
Layer 3: Prompt Injection Detection
A regex-based scanner checks user inputs and LLM outputs for prompt injection attempts, including jailbreak patterns.
Layer 4: SSRF Protection
All outbound HTTP requests from tools are validated against an allowlist. Private IP ranges (RFC 1918) are blocked by default.
Layer 5: AES-256-GCM Encryption
Sensitive data at rest — API keys, credentials, conversation history — is encrypted using AES-256-GCM with per-tenant keys.
Row-Level Security (Bonus)
PostgreSQL RLS policies ensure tenants can never access each other's data, even if application logic has bugs.
Summary
| Layer | Threat Addressed |
|---|---|
| Rate Limiting | DDoS, brute force |
| SQL Injection | CVE-2026-25253, data exfiltration |
| Prompt Injection | Jailbreaks, data leakage |
| SSRF Protection | Internal network access |
| AES-256-GCM | Data breach at rest |
GoClaw's layered approach means attackers must bypass all five layers to compromise your deployment.