Paperless-ngx stores OCR-indexed documents and often receives input from scanners, mail ingestion, and integrations. Security should focus on strict origin controls, broker/database isolation, and account hardening.
¶ 1) Protect authentication and external access
- disable self-signup (
PAPERLESS_ACCOUNT_ALLOW_SIGNUPS) unless explicitly needed
- enforce secure cookie behavior when HTTPS is enabled (
PAPERLESS_COOKIE_SECURE)
- set
PAPERLESS_ALLOWED_HOSTS and PAPERLESS_CSRF_TRUSTED_ORIGINS to explicit domains only
¶ 2) Isolate broker, database, and ingestion pipelines
- keep Redis (≥6.0) and PostgreSQL internal-only and never exposed publicly
- protect mail ingestion credentials used by mailbox/archive workflows
- apply request size/rate controls at reverse proxy for upload endpoints
- note: MariaDB and SQLite are also supported database backends
¶ 3) Patch and protect document/backup data
- follow Paperless-ngx release updates and patch on tested cadence
- encrypt backup sets containing original files, OCR text, and metadata
- test restore regularly, including permissions and tag/correspondent integrity
- Paperless-ngx source repository: https://github.com/paperless-ngx/paperless-ngx
- Paperless-ngx docs (configuration): https://docs.paperless-ngx.com/configuration/
- Paperless-ngx docs (Docker install): https://docs.paperless-ngx.com/setup/
Any questions?
Feel free to contact us. Find all contact information on our contact page.