Collabora Online (CODE) is usually exposed through WOPI integrations (for example Nextcloud/ownCloud/OpenCloud). Security depends on strict domain allowlists, TLS, and integration trust boundaries.
- Configure
domain / aliasgroup values to allow only your trusted WOPI hosts.
- Do not run with wildcard-accepting host rules in production.
- Keep admin console inaccessible from the public internet unless required.
- Set strong admin credentials and rotate them.
¶ 2) Harden transport and container runtime
- Use HTTPS from client to reverse proxy and from proxy to CODE where possible.
- Keep CODE service port private; publish only through reverse proxy.
- Run container with least privilege and minimal host mounts.
- Limit request body and connection rates to reduce abuse and DoS impact.
¶ 3) Patch and monitor integration paths
- Keep CODE image updates aligned with upstream security releases.
- Track WOPI host logs and Collabora logs for failed authorization attempts.
- Validate document conversion paths and temporary file storage permissions.
- Test backup and rollback for integrated document editing workflows.
- Collabora Online deployment and configuration: https://sdk.collaboraonline.com/docs/installation/index.html
- Collabora Online source repository: https://github.com/CollaboraOnline/online
- Collabora security policy: https://www.collaboraonline.com/security/
Any questions?
Feel free to contact us. Find all contact information on our contact page.