Skip to content

Security Overview

The satware® AI OnlyOffice MCP server is designed with security at every layer — from input validation through Docker container isolation to encrypted credential storage.

All template data is validated against JSON Schemas before processing:

  • Required field checks — missing fields are rejected before document generation
  • Type validation — Zod schemas enforce string, number, boolean, array, and object types
  • Pattern matching — regex constraints for dates, emails, and formatted strings
  • Enum validation — restricted value sets for fields like employment type or slide type

User data is sanitized through JSON serialization (round-trip removes functions, undefined values, and circular references).

All command execution uses array arguments, never shell string interpolation:

execFile('docker', ['exec', '-i', containerName, ...])

This prevents shell injection even if user data contains malicious characters. User-provided data flows through JSON serialization to a script file, never into shell command strings.

Document Builder runs in an isolated Docker container:

  • Limited filesystem access — only mounted volumes are accessible
  • Controlled network access — OnlyOffice container is on an internal Docker network (backend), not exposed externally
  • Non-root user — the mcp-server container runs as mcpuser (UID 1001)
  • No host filesystem mounts for sensitive data — only /var/artifacts and Docker socket

The Docker socket is mounted for docker exec commands (required for DocBuilder). This is a known risk that is documented and accepted — the container cannot start or stop other containers, only execute commands in the specified OnlyOffice container.

Cloud storage credentials (Google Drive, OneDrive, S3, MinIO, WebDAV, SMB) are encrypted at rest using:

Aspect Implementation
Algorithm AES-256-GCM (authenticated encryption)
Key Derivation scrypt with OWASP-recommended parameters
IV 96-bit (NIST recommended for GCM)
Auth Tag 128-bit (maximum strength)
Storage Local encrypted file with 0600 permissions
Memory Decrypted keys cached with timeout and zeroing

Credentials are never logged or included in error messages. The master password is read from the CREDENTIAL_MASTER_PASSWORD environment variable and never persisted to disk.

Mode Security
STDIO Process isolation (no network)
HTTP TLS via reverse proxy (Caddy/Nginx). Origin validation against CORS_ORIGINS. Fail-closed in production if CORS_ORIGINS is unset.
  • Cookie-based session (HMAC-SHA256 signed, 8h lifetime)
  • /admin returns 503 if ADMIN_PASSWORD is unset
  • Session secret derived from admin password (or set explicitly via ADMIN_SESSION_SECRET)

All endpoints (/mcp, /admin, /artifacts, /health, /instances) are on port :3847. OnlyOffice Document Server (:9980) is internal-only — not exposed to external traffic.

  • No PII stored — the server processes data in-memory and generates documents on demand
  • Temporary artifacts — generated documents are auto-deleted (default TTL: 24 hours)
  • EU hosting — production deployments on satware infrastructure in Germany
  • No telemetry — no analytics, tracking, or phone-home calls