How to secure CODE in the context of NextCloud?

I’m setting up NextCloud Office, backed by a self-hosted CODE server. It works, but I’m kind of confused by how security is supposed to work. As far as I can see, anybody can access the CODE server without authentication. The coolwsd config does not specify a way to authenticate the NextCloud server; NextCloud’s Office settings don’t specify a way to authenticate the CODE server.

There is the frame_ancestors config, but it doesn’t seem to do anything: if I set it to a domain that’s not my NextCloud domain, then Collabora still loads even though it shouldn’t.

There are also IP whitelists, but as far as I can see they only whitelist users’ IPs, not the NextCloud server’s IP, so this setting is also not useful to me.

What’s going on? Are my NextCloud files secure?

Welcome to the forum @FooBarWidget
Ah we just add a webinar about that: Digital Sovereignty and Security with Collabora Online on Nextcloud - Nextcloud

Collabora Online uses an adapted versions of the WOPI standard protocol, and we can use data stores which can provide their own policies. When your document data comes down into Collabora Online we isolate and protect your document in your on-premise server inside a series of concentric security onion
shells:

Collabora keeps your document data on the server, and can send only tiled images to the client. These can also be watermarked with the viewer’s name. With granular permissions to restrict copy & paste, download, print and so on – Collabora protects your documents like no other.

image

Collabora system can’t access Nextcloud files “itself”… only once a user starts editing Nextcloud provides specially crafted URL with access information which is used by Collabora to access this specific file.

you can understand the process better if you monitor your browser log, Nextcloud and Collabora access logs - then it’s pretty clear access is only given to specific document while editing…

additionally, if you set the
allowed hosts
correctly in docker-compose.yml, only these hosts will be able to connect&edit anything.