Nextcloud Forms inherits most security controls from Nextcloud Server and adds app-level sharing/response handling risks. Harden both core server and forms sharing settings.
¶ 1) Keep Nextcloud core and app patched
- Follow Nextcloud security advisories and patch promptly.
- Keep Forms app updated alongside server version.
- Track security advisories affecting authentication/session behavior.
- Validate access controls after major server upgrades.
- Disable public forms unless required.
- Use private link sharing and expiration policies where possible.
- Restrict result-export privileges to trusted operators.
- Review who can read/manage forms in shared groups.
¶ 3) Protect infrastructure and data
- Enforce HTTPS and secure cookies.
- Keep database/storage services private.
- Encrypt backups containing response data and user metadata.
- Monitor logs for unusual response-volume patterns.
- Nextcloud Forms repository: https://github.com/nextcloud/forms
- Nextcloud security advisories repository: https://github.com/nextcloud/security-advisories
- Example advisory feed: https://github.com/nextcloud/security-advisories/security/advisories
Any questions?
Feel free to contact us. Find all contact information on our contact page.