Is CalDAV and CardDAV reasonably secure?

I’m self-hosting a Nextcloud instance and I use the built-in CalDAV and CardDAV features for syncing my calendar and contacts to my devices.

While you do need to authenticate (i.e.: user, pass) to access them, is it reasonably secure? I realize that there’s more secure options such as Proton Calendar, (+contacts) but I’m not too fond of the lack of integration with native apps.

I don’t consider myself to be a serious target-- my ‘threat model’ consists of basically ‘get away from big tech surveillance’, but while retaining some convenience. (I’m just a normal person blah blah)

As you’re self-hosting NextCloud, you shouldn’t have a problem. As for their security/privacy… they’re terrible. It’s old standards, that were not built with privacy or security in mind. They can be encrypted on the client side, and in transit, which is good for self-hosting, but not really for Cloud services, when it comes to privacy. So long as you’re the host, it should be fine, but I wouldn’t trust it to a 3rd party. There is a reason Apple does not support Calender or Contacts E2EE, even with ADP. It’s also why services like Tutanota, or Proton’s Bridge will not work with it. It just cannot be used securely… not easily, anyway. You’ve done great in self-hosting. Now just make sure you sync those Dav files with a trusted app.


Exactly this. Could not have said it better. All points covered.

Flawless victory.


To add on what is already being said, you could make your Nextcloud server only available via Tailscale and use the Tailscale client on your phone so you can connect to it. If you do that your server doesn’t need to be publicly accessible on the internet which dramatically increases your overall security.