Nextcloud usually stores user files, calendars, contacts, and sensitive collaboration data. Harden it as a critical business application, not as a simple file share.
¶ 1) Lock down trusted network and reverse proxy settings
- Set
trusted_domains to exact hostnames only.
- Set
trusted_proxies to your real proxy addresses.
- Set
overwriteprotocol to https when TLS is terminated at the proxy.
- Keep
datadirectory outside the web root.
¶ 2) Enforce account and session hardening
- Enable MFA for admin and privileged groups.
- Disable unrestricted public registration unless required.
- Configure brute-force protection and integrate
fail2ban for login endpoints.
- Rotate app passwords and tokens on staff offboarding.
¶ 3) Secure apps, background jobs, and file handling
- Remove unused apps and disable installation from untrusted sources.
- Use
cron background jobs (not AJAX) for predictable maintenance and scanning.
- Keep antivirus integration enabled for upload-heavy deployments.
- Restrict preview providers if resource exhaustion is a concern.
¶ 4) Patch and monitor continuously
- Follow stable release channels and apply security updates quickly.
- Run
occ security:certificates and regular occ status checks.
- Back up database plus data directory and test restore.
- Nextcloud hardening and security guidance: https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html
- Nextcloud security and setup warnings: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/security_setup_warnings.html
- Nextcloud source repository: https://github.com/nextcloud/server
Any questions?
Feel free to contact us. Find all contact information on our contact page.