Security and authentication

Nextcloud is designed to protect user data
through multiple layers of protection.

Nextcloud understands the necessity to provide core principle baseline security requirements, as such Nextcloud 11 is built on these security principles to ultimately deliver a secure solution to their customers

NCC Group

Verified Enterprise Class Security

Our customers care deeply about security and so do we. Nextcloud aligns with industry standards such as Clause 14 of ISO/IEC27001-2013 and related standards, guidance and security principles. Our solution is built around combined assurance layers consisting of rich security features, applied best practices governed by policy and the design itself validated by industry standard testing processes.

NCC Group security review


New technology should fit into existing processes and infrastructure. Nextcloud enables you to leverage existing security investments.


Existing storage and database technology

Nextcloud supports any existing storage solution, including object store technologies, keeping data under control of trusted IT administrators and managed with established policies. Nextcloud works with industry standard SQL databases like PostgreSQL, MySQL and MariaDB for user and metadata storage.

image/svg+xml SECURITY TOOLS

Existing security tools

Nextcloud offers built in monitoring tools and integrates with existing MDM, DLP, event logging and backup tools, enabling existing tool chains to be used to monitor, back up and restore systems.


Current security policies and processes

Thanks to the on-premises nature of Nextcloud and its ability to leverage existing data storage and database technologies, current security policies and governance processes can continue to be used to manage, control and secure operations with Nextcloud. Nextcloud GmbH does at no point have access to your data and can not interfere with regulated processes, keeping your IT department in control.


Nearly any authentication and provisioning mechanism works with Nextcloud, making it easy to fit with your user directory.

CanvasCreated using Figma

LDAP / Active Directory

Nextcloud has extensive LDAP/Active Directory support with an easy installation wizard.


Nextcloud supports Single Sign On (SSO) and provides native SAML 2.0 (and Shibboleth) authentication in its web front end.

The native SAML integration negates the need for external software like Apache modules. Native SAML is compatible with all webservers and supports group memberships, flexible session management and app specific passwords. It can handle multiple Identity Providers and can authenticate to Samba servers with Kerberos.

CanvasCreated using Figma

Authentication via environment variable

Nextcloud can work with Kerberos and other authentication mechanisms like OAuth2, OpenID Connect, JWT, CAS or Any SQL database mediated by Apache modules.

CanvasCreated using Figma

Two-factor authentication

Nextcloud includes Universal 2nd Factor (U2F) hardware tokens and Time-based One-Time Password (TOTP) as well as NFC and Gateway Signal/Telegram/SMS second factor support to increase the security of user login handling.

CanvasCreated using Figma

Automated or manual provisioning

Nextcloud offers an easy to use, REST based provisioning API to create and configure user accounts.

Under your control

Control is key to security. With Nextcloud, your IT department takes back control over its data, managed under its policies and procedures. Nextcloud integrates in the tooling you use in your data center like logging and intrusion detection and works with existing authentication mechanisms like SAML, Kerberos and LDAP. Nextcloud features:


Logging and monitoring

Nextcloud has built in monitoring and logging tools, compatible with industry standard tools like Splunk, Nagios and OpenNMS. It also offers a full, compliance-ready activity log for reporting and auditing purposes.



Administrators can set permissions on sharing and access to files using groups. Permissions of underlying storage, like Windows Network Drive access rights, are respected by Nextcloud

CanvasCreated using Figma

Data Retention

Define rules for data retention, allowing regular cleanup of files or ensurances that data stays put for a set amount of time.

image/svg+xml Canvas Canvas Created using Figma

Finegrained File Access Control

The powerful workflow tools in Nextcloud enable administrators to limit access to data in accordance to business and legal requirements and perform automatic actions like file conversion. Describe restrictions like "XLSX files from the HR department are not to be accessible outside company IP ranges" or "employees in the US shouldn't access customer data from European data centers" for Nextcloud to enforce.



Nextcloud uses industry-standard SSL/TLS encryption for data in transfer. Additionally, data at rest in storage can be encrypted using a default military grade AES-256 encryption with server-based or custom key management. Also optionally and on a per-folder base data can be end-to-end encrypted on the client with the server assisting in sharing and key management using a Zero-Knowledge model.

Note that E2E is currently (early 2019) in beta. V2 is expected end summer 2019.



Nextcloud puts all the pieces for compliance with regulations like HIPAA and GDRP at your fingertips. This goes from extensive documentation on our customer portal to specific apps for data requests as well as encryption and security capabilities in Nextcloud itself.
Learn more on our compliance site.

Protected Sharing

For Nextcloud customers, securely exchanging data is key. Nextcloud offers industry standard protection mechanisms and adds innovative and unique capabilities like Video Verification.

Securing shared links

Nextcloud features industry-leading protection for file shares.

Administrators can set defaults or enforce these options.
Learn more about sharing.

Video Verification

In situations where extreme security is warranted and the identity of a recipient has to be verified with absolute certainty before they are granted access, Nextcloud includes the industry-first implementation of Video Verification.

Video Verification enforces a Nextcloud Talk video call before access is given to a share, making sure the identity of the recipient is properly checked. The call can be picked up through the Nextcloud Talk Mobile apps as well as the web interface.

Security process

Nextcloud development follows industry leading security processes. Security bugs are like technical debt: fixing them later is expensive. Our strategy is to prevent them from happening through a rigorous focus on security through the entire life cycle of our product and to get those which find their way through found and fixed as soon as possible.

Click each step in the process to learn more

Security training

  • We provide detailed documentation about common web security vulnerabilities
  • We organize internal and public security trainings
  • Developers are asked to fix security issues they caused themselves



  • Unsafe functions are forbidden (e.g. unserialize, non-prepared statements and unsafe comparisons)
  • Our internal functions are designed to provide secure defaults for developers
  • We employ a strict mandatory code review process with 2 reviewers besides the original developer


  • We regularly run static and dynamic security scans like Burp, Veracode and others
  • We follow industry-standard security processes and have them independently verified
Check out our security review reports:


Security bug bounties

Nextcloud protects your security with an up to $ 5000 Security Bug Bounty program

HackerOne program

We have partnered with the HackerOne platform because of its extraordinary popularity among IT security professionals. More than 3,000 hackers have reported over 24,000 bugs via the platform. Running a program on HackerOne allows us to quickly leverage the collective knowledge of a huge amount of these security experts.

Nextcloud's commitment to responsiveness and putting security first puts them in the best position to attract top hacker talent to continue to supplement the good work their internal security team is doing to protect customers.

-- Michiel Prins, co-founder HackerOne.

Anyone reporting a security vulnerability in Nextcloud can earn up to $5000, making ours some of the highest security bug bounties in the open source industry. For more details, see our announcement, our update in 2017 and the HackerOne whitepaper in 2018

Nextcloud’s lightning fast response times are impressive and make them a model for how to build an efficient bug bounty triage and response process.

-- Michiel Prins, co-founder HackerOne.

Find an example of RhinoSecurityLabs blogging about a security issue we dealt with here (HackerOne disclosure). Here is another example.

Download HackerOne whitepaper.

Secure Authentication

Authentication is the first step in securing your data

in action

Extra security

The Nextcloud authentication system supports pluggable authentication including Two-factor authentication and device specific passwords, complete with a list of connected browsers and devices on the users’ personal page. As extra protection, device specific password tokens can be denied access to the file system.

Included are Universal 2nd Factor (U2F) and Time-based One-Time Password (TOTP) second factor apps, enabling users to use tools like Yubikeys or Google Authenticator to secure their accounts. NFC auth is also supported (Yubikey Neo). A gateway 2-factor provider is available which supports 2nd factors from secure messaging apps Telegram and Signal as well as a variety of SMS gateways.

Active user sessions can be invalidated through a list, by removing the user in the admin settings or by changing passwords. Users can manage their own sessions and devices.

Security advice

We make securing your system as easy as possible

in action

Automated checks and tips

Nextcloud detects issues with its installation and warns when it finds unknown or modified files. Administrators can find security tips and warnings in the configuration screen.

Administrators can set password quality policies enforced by Nextcloud as well as limit or disable sharing, enforce expiration dates and passwords on shares, disable preview generation and more.

You can find more information on hardening your Nextcloud installation in our extensive hardening guide

We provide the Nextcloud Security Scanner to check the security of your private cloud server.

Server-side Encryption


Employ encryption for the highest degree of privacy and security

in action

Encrypted data transfer

Nextcloud employs industry-standard TLS to encrypt data in transfer. Usage of Object Storage like Amazon S3 or other external storage systems can be secured through Server Side Encryption.

Encrypt data at rest

Server Side Encryption can also be used on local storage. However, inherent to the concept of server side encryption, encryption keys will be present in memory of the Nextcloud server during the time a user is logged in and could be retrieved by a determined attacker. We take care to ensure keys are not stored unencrypted on permanent storage and at rest keys are encrypted using a strong cipher.

Encrypt from client to client

End-to-end Encryption client-side is available from Nextcloud 13 and newer as a folder-level option to keep extremely sensitive data fully secure even in case of a full server breach. The server facilitates key exchange for syncing between devices and sharing but has Zero Knowledge, that is, never has access to any of the data or keys in unencrypted form. Learn more here.

in action

Server-side encryption with flexible key handling

Nextcloud supports pluggable encryption key handling. If you have an external key server or Hardware Security Module, these can be made to work with Nextcloud.

Our default encryption key handling enables administrators to set a system wide recovery key for encrypted files,. This ensures that, even when users lose their password, files can always be decrypted. Encrypted files can be shared but after changing encryption settings, shares will have to be re-shared. Using our command line tools, data can be encrypted, decrypted or re-encrypted when needed.

If you face a regulatory or compliance need to encrypt data at rest but do not need to actually secure this data, locally encrypting data using our built in key management may satisfy compliance requirements.

Learn how to use server side encryption in our documentation

in action

Seamless End-to-end Encryption on the clients

Nextcloud features an enterprise-grade, seamlessly integrated solution for end-to-end encryption. It enables users to pick one or more folders on their desktop or mobile client for end-to-end encryption. Folders can be shared with other users and synced between devices but are never readable by the server.

This solution is easy to use yet extremely secure thanks to its Zero-Knowledge server design and Cryptographic Identity Protection. It does not compromise security by using a browser to encrypt or decrypt files with code coming from the server and is not an all-or-nothing affair: any number of folders can be end-to-end encrypted. Sharing is secure without a need to exchange passwords and files don't need to be re-encrypted and re-uploaded when access rights for other users are changed.

Our solution is enterprise ready with support for a Hardware Security Module for issuing certificates, giving access to a full audit log and optionally allowing administrators to create an offline master recovery key.

Learn about End-to-end Encryption in our clients on this page.

Passive security measures

Besides active security measures like authentication and encryption, Nextcloud protects your data without any need for administrator action

Recognized quality

Brute Force Protection

Brute Force Protection logs invalid login attempts and slows down multiple attempts from a single IP address (or IPv6 range). This feature is enabled by default and protects against an attacker who tries to guess a password from one or more users.

Password reset tokens are invalidated when critical information like user email has been changed to protect against phishing attacks.

Nextcloud will ask system administrators for password confirmation on security critical actions.

Rate Limiting

Rate Limiting allows a developer to specify how often an IP range or a user may send a request in a specific time period. This can be useful for expensive API calls, to prevent users from accessing too much data in a smaller attempt of time or harden bruteforce stuff further. It is used by Nextcloud apps to protect users from spam and overloading.

Learn more about these protections in our blog.

Security hardening

Nextcloud employs a wide variety of extra security hardening capabilities, including:

  • Content Security Policy 3.0

      CSP is a HTTP feature that allows the server to set specific restrictions on a resource when opened in a browser. Such as only allowing to load images or JavaScript from specific targets.

      CSP 3.0 is the latest, most strict version of the standard, increasing the barrier for attackers to exploit a Cross-Site Scripting vulnerability.

  • Same-Site Cookies

      Same-Site cookies are a security measure supported by modern browsers that prevent CSRF vulnerabilities and protect your privacy further. Nextcloud enforces the same-site cookies to be present on every request by enforcing this within the request middle ware.

      We include the __Host prefix to the cookie (if supported by browser and server). This mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain.

Learn more about hardening features in our blog.

Machine learning based suspicious login detection

Nextcloud includes a machine learning technology which trains a neural network on successful logins on the instance and uses it to classify login attempts. Should it detect a login classified as suspicious by the trained model, it will notify the user and store an entry in the log for the system administrator.

When the user is notified, they can terminate the suspicious session, and proceed to set a new password. The administrator can also take action, like disabling user accounts or forcing users to pick a new password.

Of course, the solution is designed to protect privacy and all data remains on your server!

Learn more in our announcement blog

You have javascript disabled. We tried to make sure the basics of our website work but some functionality will be missing.

This website is using cookies. By visiting you agree with our privacy policy. That's Fine