Usually, clapf listens on the localhost, so it cannot be accessed directly. It listens on a high port (>1024), and it does not require any special privileges. By default it switches to user 'clapf' after it's started. You may run it as a different user by setting the username parameter.

username=clapf

Because the clapf.conf file contains sensitive data, such as MySQL credentials, it's very important that it shouldn't be read by any other user than clapf.

chgrp clapf /usr/local/etc/clapf.conf
chmod 640 /usr/local/etc/clapf.conf

If you have clapf.pem for enabling starttls support for the clapf daemon, then fix permissions on it as well:

chgrp clapf /usr/local/etc/clapf.pem
chmod 640 /usr/local/etc/clapf.pem