PSPDFKit Server Security
We deliver PSPDFKit for Web as a Docker container deployed on-premises or in the cloud (AWS, Azure, Google Cloud, and others) by you.
We have no access to a deployed instance, including documents or annotation data. PSPDFKit Server does perform regular license checks and sends very limited and anonymized analytics data (number of users, documents, web browser usage share).
There are three ways PSPDFKit Server can be accessed:
Your backend signs JSON Web Tokens (JWTs) asserting that the holder of such a token is allowed to access a given document. It then passes them to your client apps using PSPDFKit for Android, iOS, and Web. Your apps then pass it to PSPDFKit Server to prove they have access to the claimed document.
To limit the possible attack surface area, you can disable the optional dashboard completely by setting the username and password configuration options to empty strings or not setting them at all.
We strongly recommend following these practices to improve security and privacy from a network perspective:
Enable HTTPS. Since PSPDFKit Server doesn’t support serving traffic over HTTPS, run a load balancer or reverse proxy with HTTPS support in front on Server. If you deploy to the cloud, you can rely on your cloud provider’s HTTPS termination (e.g. AWS Application Load Balancer). When running on-premises, you can set up HTTPS using nginx or Caddy.
Disable dashboard and server API access from the internet. PSPDFKit Server serves its internal API used by PSPDFKit for Web, the server API, the client API, and the dashboard on the same port. However, only the internal API needs to be exposed to the internet so that your application using PSPDFKit for Web can access it. To achieve this, configure your load balancer or reverse proxy so that only HTTP requests that target paths starting with
/iare allowed. In addition, if you also use the client API in your application, make sure to allow paths that start with
PSPDFKit Server fully supports encryption in transit and at rest, depending on your underlying platform.
Encryption in transit is achieved by enabling HTTPS. You can read more about it in the previous section.
PSPDFKit Server delegates encryption at rest to the underlying platform: If you implement encryption at rest for your Docker and PostgreSQL hosts, PSPDFKit Server’s data will be encrypted at rest as well.