Skip to content

ONLYOFFICE

Jump to bottom
Ryan edited this page Dec 8, 2025 · 4 revisions

Open and edit Office documents — Word (DOCX), Excel (XLSX), PowerPoint (PPTX) — directly in FileRise using your self-hosted ONLYOFFICE Document Server (optional). Open ODT/ODS/ODP, and view PDFs inline. Everything is enforced by the same per-folder ACLs across the UI and WebDAV.

  • 🧩 Office Docs (ONLYOFFICE, optional): View/edit DOCX, XLSX, PPTX (and ODT/ODS/ODP, PDF view) using your self-hosted ONLYOFFICE Document Server. Enforced by the same ACLs as the web UI & WebDAV.

Quick start: ONLYOFFICE (optional)

FileRise can open & edit office docs using your self-hosted ONLYOFFICE Document Server.

What you need

  • A reachable ONLYOFFICE Document Server (Community/Enterprise).
  • A shared JWT secret used by FileRise and your Document Server.

Setup (2–3 minutes)

  1. In FileRise go to Admin → ONLYOFFICE and:

    • ✅ Enable ONLYOFFICE
    • 🔗 Set Document Server Origin (e.g., https://docs.example.com)
    • 🔑 Enter JWT Secret (click “Replace” to set)

  2. (Recommended) Click Run tests in the ONLYOFFICE card:

    • Checks FileRise status, callback reachability, api.js load, and iframe embed.

  3. Update your Content-Security-Policy to allow the DS origin.
    The Admin panel shows a ready-to-copy line for Apache & Nginx. Example:

    Apache

    Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'sha256-ajmGY+5VJOY6+8JHgzCqsqI8w9dCQfAmqIkFesOKItM=' https://your-onlyoffice-server.example.com https://your-onlyoffice-server.example.com/web-apps/apps/api/documents/api.js; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self' https://your-onlyoffice-server.example.com; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'; frame-src 'self' https://your-onlyoffice-server.example.com"

    Nginx

       # Drop upstream (Apache/.htaccess) headers that conflict with ONLYOFFICE
   proxy_hide_header X-Frame-Options;
   proxy_hide_header Content-Security-Policy;

   # Replace with an ONLYOFFICE-aware CSP at the proxy
   add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'sha256-ajmGY+5VJOY6+8JHgzCqsqI8w9dCQfAmqIkFesOKItM=' https://your-onlyoffice-server.example.com https://your-onlyoffice-server.example.com/web-apps/apps/api/documents/api.js; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self' https://your-onlyoffice-server.example.com; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'; frame-src 'self' https://your-onlyoffice-server.example.com" always;

    Notes

    • If your site is https://, your Document Server must also be https:// (or the browser will block it as mixed content).
    • Editor access respects FileRise ACLs (view/edit/share) exactly like the rest of the app.

Clone this wiki locally