Security Overview
The satware® AI OnlyOffice MCP server is designed with security at every layer — from input validation through Docker container isolation to encrypted credential storage.
Input Validation
Section titled “Input Validation”All template data is validated against JSON Schemas before processing:
- Required field checks — missing fields are rejected before document generation
- Type validation — Zod schemas enforce string, number, boolean, array, and object types
- Pattern matching — regex constraints for dates, emails, and formatted strings
- Enum validation — restricted value sets for fields like employment type or slide type
User data is sanitized through JSON serialization (round-trip removes functions, undefined values, and circular references).
Shell Injection Prevention
Section titled “Shell Injection Prevention”All command execution uses array arguments, never shell string interpolation:
execFile('docker', ['exec', '-i', containerName, ...])This prevents shell injection even if user data contains malicious characters. User-provided data flows through JSON serialization to a script file, never into shell command strings.
Docker Container Isolation
Section titled “Docker Container Isolation”Document Builder runs in an isolated Docker container:
- Limited filesystem access — only mounted volumes are accessible
- Controlled network access — OnlyOffice container is on an internal Docker network (
backend), not exposed externally - Non-root user — the
mcp-servercontainer runs asmcpuser(UID 1001) - No host filesystem mounts for sensitive data — only
/var/artifactsand Docker socket
The Docker socket is mounted for docker exec commands (required for DocBuilder). This is a known risk that is documented and accepted — the container cannot start or stop other containers, only execute commands in the specified OnlyOffice container.
Credential Encryption
Section titled “Credential Encryption”Cloud storage credentials (Google Drive, OneDrive, S3, MinIO, WebDAV, SMB) are encrypted at rest using:
| Aspect | Implementation |
|---|---|
| Algorithm | AES-256-GCM (authenticated encryption) |
| Key Derivation | scrypt with OWASP-recommended parameters |
| IV | 96-bit (NIST recommended for GCM) |
| Auth Tag | 128-bit (maximum strength) |
| Storage | Local encrypted file with 0600 permissions |
| Memory | Decrypted keys cached with timeout and zeroing |
Credentials are never logged or included in error messages. The master password is read from the CREDENTIAL_MASTER_PASSWORD environment variable and never persisted to disk.
Network Security
Section titled “Network Security”Transport
Section titled “Transport”| Mode | Security |
|---|---|
| STDIO | Process isolation (no network) |
| HTTP | TLS via reverse proxy (Caddy/Nginx). Origin validation against CORS_ORIGINS. Fail-closed in production if CORS_ORIGINS is unset. |
Admin UI
Section titled “Admin UI”- Cookie-based session (HMAC-SHA256 signed, 8h lifetime)
/adminreturns 503 ifADMIN_PASSWORDis unset- Session secret derived from admin password (or set explicitly via
ADMIN_SESSION_SECRET)
Single-Port Model
Section titled “Single-Port Model”All endpoints (/mcp, /admin, /artifacts, /health, /instances) are on port :3847. OnlyOffice Document Server (:9980) is internal-only — not exposed to external traffic.
GDPR Compliance
Section titled “GDPR Compliance”- No PII stored — the server processes data in-memory and generates documents on demand
- Temporary artifacts — generated documents are auto-deleted (default TTL: 24 hours)
- EU hosting — production deployments on satware infrastructure in Germany
- No telemetry — no analytics, tracking, or phone-home calls
Security Checklist for Operators
Section titled “Security Checklist for Operators”Related
Section titled “Related”- Credential Management — Encrypted credential storage API
- Docker Stack Deployment — Production deployment with security configuration
- Tools Reference — All 26 MCP tools