ONLYOFFICE Docs is commonly used as a document editing backend behind Nextcloud/ownCloud/OpenCloud. The most important controls are JWT enforcement, strict callback trust, and private service exposure.
¶ 1) Enforce JWT and trusted integration settings
- Enable JWT validation for inbox/outbox/browser channels.
- Use long random JWT secrets and rotate them in planned maintenance windows.
- Restrict callback and integration endpoints to trusted hosts only.
- Disable example/test endpoints in production deployments.
¶ 2) Protect service exposure and runtime
- Keep Document Server services internal and expose via reverse proxy only.
- Enforce HTTPS and HSTS on external endpoints.
- Restrict container privileges and filesystem mounts.
- Keep PostgreSQL/Redis/RabbitMQ endpoints private.
- Patch ONLYOFFICE Docs and dependencies regularly.
- Monitor conversion and callback logs for malformed input or repeated failures.
- Back up config and stateful dependencies, then test restore.
- Use isolated environments for untrusted document workflows.
- ONLYOFFICE Docs security settings: https://helpcenter.onlyoffice.com/docs/installation/docs-configure-jwt.aspx
- ONLYOFFICE Docs source repository: https://github.com/ONLYOFFICE/DocumentServer
- ONLYOFFICE docs portal: https://helpcenter.onlyoffice.com/
Any questions?
Feel free to contact us. Find all contact information on our contact page.