ownCloud often becomes a central store for regulated documents and user-shared content. Harden authentication, storage paths, and app lifecycle before opening access to users.
¶ 1) Harden core trusted host and proxy settings
- Configure strict
trusted_domains values.
- Set proxy-related options correctly when TLS ends at NGINX/HAProxy.
- Keep the data directory outside the document root.
- Deny direct access to sensitive config and data paths at the web server.
¶ 2) Enforce identity and token hygiene
- Require MFA for administrator and support roles.
- Disable open user registration where not explicitly needed.
- Review app passwords and OAuth tokens periodically.
- Prefer SSO integration for central policy enforcement.
¶ 3) Limit app and sharing attack surface
- Remove unused marketplace apps.
- Restrict public link sharing defaults and enforce expiration where possible.
- Enable brute-force and login throttling controls through app and proxy layers.
- Keep preview and office integrations limited to required components only.
¶ 4) Maintain patch and backup discipline
- Track upstream security advisories and patch quickly.
- Back up DB, config, and data directories together.
- Validate restore procedures, including share permissions and external storage mappings.
- ownCloud hardening and security: https://doc.owncloud.com/server/latest/admin_manual/installation/harden_server.html
- ownCloud source repository: https://github.com/owncloud/core
- ownCloud security advisories: https://owncloud.com/security-advisories/
Any questions?
Feel free to contact us. Find all contact information on our contact page.