Docspell stores long-lived personal and business documents with OCR metadata. Hardening should focus on account policy, API and integration credentials, and private network segmentation for its supporting services.
¶ 1) Enforce strict account and auth policy
- keep registration disabled unless required for your deployment model
- use OIDC/LDAP-backed identity where available, and restrict admin users to a small trusted group
- review user sessions and revoke stale access after staff changes
¶ 2) Protect API keys and ingestion channels
- isolate inbox and automation credentials per source (scanner, email, import jobs)
- rotate API/integration credentials on schedule
- validate upload/ingest size limits to reduce abuse and DoS risk
¶ 3) Secure data and infrastructure components
- run Docspell behind TLS reverse proxy with strict headers and rate limiting
- keep PostgreSQL and search backends (Solr or PostgreSQL) on private interfaces only
- encrypt backups because OCR text and metadata can contain sensitive personal data
- note: Solr must be reachable from all joex and rest server components
- Docspell website: https://docspell.org
- Docspell source code: https://github.com/eikek/docspell
Any questions?
Feel free to contact us. Find all contact information on our contact page.