PrizmDoc Viewer v13.10 Release - Updated
Security Guidance
Administrator Guide (Self-Hosted) > Security Guidance

Introduction

This topic covers the essential items that you should consider before deploying your application. For example, how PrizmDoc Server is designed, ports that need to be open for single-server and cluster modes, PrizmDoc Server adminstration, and creating secure viewing sessions.

PrizmDoc Server

PrizmDoc Server is designed to run as an internal web service. Take steps to ensure that PrizmDoc Server is not accessible to end-users or the public internet by configuring a firewall in front of PrizmDoc Server to block access to the port it is using.

Ports

The following default ports should be open to access PrizmDoc Server:

Single-server Mode

Cluster Mode

NOTE: PrizmDoc Server uses a number of ports for internal purposes and must not be accessible from outside of the server.

PrizmDoc Server Administration

PrizmDoc Server includes a Health Status API to request real-time information about the state and health of the system. A sample ASP.NET web application is also included in the Windows installation that takes advantage of the Health Status API and demonstrates potential use cases.

The Health Status API provides information that can be helpful in diagnosing problems. However, it also contains sensitive information such as document information and specific processing tasks. Because of this, the ASP.NET WebForms sample or any application accessing the Health Status API of PrizmDoc Server should not be accessible to end-users or the public internet.

Secure Viewing Sessions

The central configuration file contains properties that can help prevent users from setting inappropriate values to try and attack the PrizmDoc Server, which could render performance problems with the server. These values are properties in the ViewingSessionProperties object that a client-user passes to PrizmDoc Server to start a viewing session.

The file paths for the Central Configuration file are:

NOTE: The default installation directory is: C:\Prizm.

For more information on creating secure viewing sessions, refer to the following topics:

The following configuration properties put limits on viewing session properties sensitive to abusive attacks:

Central Configuration Properties Example

# Defines the min and max allowed values for the countOfInitialPages viewing
# session creation option.
#
# viewing.sessionConstraints.countOfInitialPages.min: 0
# viewing.sessionConstraints.countOfInitialPages.max: 10

# A regex which defines the pattern of an acceptable value for the
# documentExtension viewing session creation option.
#
# viewing.sessionConstraints.documentExtension.regex: ".\*"

# A regex which defines the pattern of an acceptable value for the
# externalId viewing session creation option.
#
# viewing.sessionConstraints.externalId.regex: ".\*"

# Defines the list of allowed values for the serverCaching viewing session
# creation option.
#
# Must be an array with one or more of the following strings:
#
# "none" - Allow REST API callers to create a new viewing session with caching
#          explicitly disabled.
#
# "full" - Allow REST API callers to create a new viewing session with caching
#          explicitly enabled.
#
# viewing.sessionConstraints.serverCaching.allowedValues: \["none","full"\]

# Defines the list of allowed values for the alwaysUseRaster viewing session
# creation option.
#
# Must be an array with one or more of the following values:
#
# false - Allow REST API callers to create a new viewing session which will
#         generate both raster and vector page content. Ideal for modern
#         browsers.
# true -  Allow REST API callers to create a new viewing session which will
#         only generate raster content; vector content will not be generated.
#         This is useful for some older browsers.
#
# viewing.sessionConstraints.render.alwaysUseRaster.allowedValues: \[false\]