Security
Usually, clapf listens on the localhost, so it cannot be accessed directly. It listens on a high port (>1024), and it does not require any special privileges. By default it switches to user 'clapf' after it's started. You may run it as a different user by setting the username parameter.
username=clapf
Because the clapf.conf file contains sensitive data, such as MySQL credentials, it's very important that it shouldn't be read by any other user than clapf.
chgrp clapf /usr/local/etc/clapf.conf chmod 640 /usr/local/etc/clapf.conf
If you have clapf.pem for enabling starttls support for the clapf daemon, then fix permissions on it as well:
chgrp clapf /usr/local/etc/clapf.pem chmod 640 /usr/local/etc/clapf.pem