Download Security

Mukesh · 5 March 2026 11:14

Concern Regarding Public Accessibility of OnlyOffice Callback URL

The OnlyOffice callback URL is publicly accessible, and I’m wondering whether we should drop the cache immediately after saving the file.

When the OnlyOffice Document Server sends a callback with a status of “2” (ready for saving), the request body includes a url field that points to the edited file hosted on the server, as shown below:

{
“status”: 2,
“url”: “https://documentserver/cache/files/abc123/output.docx”,
“users”: [“userId”],
“key”: “docKey”
}

This URL does not require any authentication, meaning anyone with the link can directly download the file from the server.

My Concern:

Even though the callback body is JWT-signed (which prevents URL injection), the URL remains valid for some time after your backend has saved the file to your own storage. This creates a potential window during which the file is exposed.

Constantine · 17 March 2026 08:14

Hello @Mukesh

Sorry for the delayed response. We are working through this topic. I will provide a feedback as soon as I get one.

Constantine · 18 March 2026 12:18

I have an update about the callback URL.

Generally, Document Server adds specific hash signature to the callback URL, which limits direct access to a document in cache, but allows downloading it via URL only. This mechanism works similarly to AWS Presigned URLs and is used by default.

Technically, you can manually use the callback URL from your callback handler, as it obtains it directly from Document Server and the URL already contains hash for access, in browser to download resulting document, but in all other cases the message to the callback handler is not exposed publicly.

We keep discussing additional possible security measures for the messages to the callback handler, but right now this should not be an issue.

NB: By default expiration time for the callback URL is 900 seconds, you can configure it with storage.fs.urlExpires parameter if needed.

Mukesh · 18 March 2026 13:27

Thank you for your response,

I have deployed my onlyoffice server in my kubernetes environment.

Currently I have exposed the entire pod using ingress.

I m preety sure, that is wrong. Only certain APIs needs to be publically exposed such as apis for websocket

Can u please clarify what are the total endpoint that is available what needs to be exposed and what’s api can communicate internally to backend

Nikolas · 25 March 2026 11:36

Hey @Mukesh,

Thanks for the follow-up and for sharing your Kubernetes setup details.

Everything related to Kubernetes deployment, high availability, clustering, and secure ingress configuration falls under enterprise-level topics (scalability, fault tolerance, etc.).

For such questions, it’s best to contact our official support or sales team directly. They can provide detailed guidance tailored to your infrastructure and licensing model.

You can reach them here:
sales@onlyoffice.com

In the Community edition we mainly focus on simpler single-instance setups. For 20 connections, Kubernetes and complex HA configurations are usually overkill, which is why we recommend reaching out to the sales/support team for enterprise-grade advice.