Some test text!

Hardening Guide

Hardening WebViewer Server

This guide will detail how you can improve the overall security of WebViewer Server.

Container security

The WebViewer Server container is designed to be as secure as possible. Default security measures built into this container include:

  • Restricted permissions on the server user
  • Restricted permissions on 3rd party libraries
  • Ensuring operation occurs within safe paths
  • No installed applications that allow access to the container without Docker

In order to further secure the container from your side, we suggest the following:

  • Isolate the container from other servers and services
  • Only download the container from the PDFTron repository
  • Do not run it on the same Docker network as other containers
  • Do not increase the privileges given to the containers
  • Use the most up to date version of Docker
  • Ensure your host system is up to date, this includes kernel
  • Do not mount sensitive host system directories onto the container
  • Do not add SSHD to the containers
  • Limit memory and CPU usage to what you want to allow to the server container

For more in depth and general purpose solutions to improving container security, please refer to this guide.

File security

WebViewer Server is designed to request files from a server. This means that between all clients and the file server, WebViewer Server can expose access to all files on the file server. The common way of dealing with this is to add security to your server. This can be done by:

  • Authentication gateway before accessing the server
  • Use signed links when retrieving files

If you are concerned with clients still having access to files which they have lost access to we recommend enabling the TRN_ENABLE_PER_SESSION_CACHING . This will force the file links to be rechecked for validity every time they are requested.

Web Security

There are groups of options which can more tightly restrict security for client coming in from the web. We recommend setting the following options:

Set this to false to prevent vulnerabilities arising from the demo code packaged with WebViewer Server

Set this to restrict requests to your WebViewer domain.

Set this to the root of your file server, which will restrict file requests to any other domain.

Caching Security

If you have concerns with cached files being accessible if the link is given out, you can set the following options. Keep in mind these options will come with a loss in performance due to the loss of cache sharing.

Get the answers you need: Support

PDFTron live tech update & run-through: Jan 20th at 11 am PT