WebApp Sec mailing list archives
Re: Securing PDF file on a Website
From: Andrew van der Stock <vanderaj () greebo net>
Date: Sat, 23 Jul 2005 18:36:36 +1000
The Guide 2.0 (plug! plug!) suggests that you stream it back to the user via an action in your code, rather than using security through obscurity.
So instead of http://www.example.com/foo.pdf do: http://www.example.com/viewpdf.{php,aspx,jsp}and send in a form POST with the necessary details to detail *which* PDF they should be getting, check the authorization status and then create the PDF on the fly using PDFlib (or similar) and shoot it to them by sending HTTP headers like Content-type and so on.
That way: a) there are no files to be found by any means b) authorization is enforcedc) you can process the PDFs Just In Time, rather than generating them for everyone and hoping they will download it.
Andrew On 23/07/2005, at 3:25 PM, echow () videotron ca wrote:
To all:Is there a way that I can add access to a pdf file to a website in a secure way? What I was thinking was to require user name and password to access this very confidential file. I was also thinking about requiring the use of tokens and/or certificates.The user group for this application is pretty low tech so my challenge is to come up with something that is secure but really straightforward to use.Any thoughts on how I would implement this would be most appreciated. Regards, Edmond
Current thread:
- Securing PDF file on a Website echow (Jul 23)
- Re: Securing PDF file on a Website Andrew van der Stock (Jul 23)
- Re: Securing PDF file on a Website Kurt Seifried (Jul 23)
- Re: Securing PDF file on a Website focus (Jul 23)
- Re: Securing PDF file on a Website Paul Laudanski (Jul 24)
- <Possible follow-ups>
- Re: Re: Securing PDF file on a Website andres . desa (Jul 23)
- Re: Re: Securing PDF file on a Website andres . desa (Jul 23)
- Re: Re: Securing PDF file on a Website andres . desa (Jul 23)
- RE: Re: Securing PDF file on a Website Auri Rahimzadeh (Jul 23)
- Re: Securing PDF file on a Website Andrew van der Stock (Jul 23)