Paperless-ngx Hardening Checklist

For exposing paperless.czechito.com to the internet via Cloudflare Tunnel. Generated 2026-02-14.

Security Posture Summary

9 published CVEs, all patched, none critical. Active maintenance, responsible disclosure. Documents stored unencrypted at rest — the auth layer is the defense.

Severity	Count	Worst Example
Critical	0	—
Moderate	4	Arbitrary file storage outside app dirs (Jan 2026)
Low	5	Stored XSS in metadata, ReDoS, auth header bypass

Pre-Exposure Checklist

1. Application Configuration

Set PAPERLESS_SECRET_KEY to a long random value (not the default) REQUIRED
Set PAPERLESS_ALLOWED_HOSTS to paperless.czechito.com REQUIRED
Set PAPERLESS_URL to https://paperless.czechito.com REQUIRED
Set PAPERLESS_USE_X_FORWARD_HOST=true REQUIRED
Set PAPERLESS_USE_X_FORWARD_PORT=true REQUIRED
Set PAPERLESS_PROXY_SSL_HEADER='["HTTP_X_FORWARDED_PROTO","https"]' REQUIRED
Confirm PAPERLESS_ENABLE_HTTP_REMOTE_USER is not set or is false REQUIRED
Update Paperless-ngx to latest version before exposing REQUIRED

2. Authentication

Enable 2FA/TOTP for all user accounts (My Profile > MFA) REQUIRED
Save the 10 recovery codes securely REQUIRED
Set up OIDC provider (Authentik or Authelia) RECOMMENDED
Disable regular password login via PAPERLESS_DISABLE_REGULAR_LOGIN=true RECOMMENDED
Set PAPERLESS_REDIRECT_LOGIN_TO_SSO=true RECOMMENDED

3. Cloudflare Tunnel Setup

Install cloudflared on DS923+ (Docker container or binary) REQUIRED
Create tunnel in Cloudflare Zero Trust dashboard REQUIRED
Route paperless.czechito.com through tunnel to http://localhost:PORT REQUIRED
No port forwarding on ER-4 needed — tunnel is outbound-only REQUIRED
Enable Cloudflare Access policy (email OTP or IP allowlist) RECOMMENDED
Set Access policy to require a second factor RECOMMENDED

4. Network / Infrastructure

Restrict Paperless Docker container outbound network access RECOMMENDED
Ensure Redis and PostgreSQL containers are not exposed outside Docker network RECOMMENDED
Rate limiting at Cloudflare or reverse proxy layer RECOMMENDED
Add Paperless to regular backup routine (DB + media directory) REQUIRED

5. Ongoing Maintenance

Watch GitHub Security Advisories for new CVEs REQUIRED
Keep Paperless-ngx updated — patch cadence is ~monthly REQUIRED
Review Cloudflare Access logs periodically OPTIONAL
Audit user accounts and API tokens quarterly OPTIONAL

Architecture Diagram

Internet
  │
  ▼
Cloudflare Edge (TLS, DDoS, WAF)
  │
  ▼
Cloudflare Access (optional email OTP / IP allowlist)
  │
  ▼ (Cloudflare Tunnel — outbound from DS923+, no inbound ports)
  │
DS923+ → cloudflared container
  │
  ▼
Paperless-ngx container (2FA + OIDC)
  │
  ├── PostgreSQL (internal Docker network only)
  └── Redis (internal Docker network only)

Paperless-ngx — Hardening Checklist