PrizmDoc Viewer v13.9 - Updated
Security Guidance
Administrator Guide (Self-Hosted) > Security Guidance

The following sections discuss items that should be considered before deploying your application using PrizmDoc Viewer.

To prevent attacks on viewing sessions, refer to the "Secure Viewing Sessions" section below.

PrizmDoc Server

PrizmDoc Server is designed to be run as an internal web service. Steps should be taken to ensure that PrizmDoc Server is not accessible to end-users or the public internet. Typically, this would involve configuring a firewall in-front of PrizmDoc Server to block access to the port it is using. See the "Ports" section below for specific port information about PrizmDoc Server.

PrizmDoc Server Administration

PrizmDoc Server includes an API to request real-time information about the state and health of the system. A sample ASP.NET web application is also included in the Windows installation that takes advantage of the administration API and demonstrates potential use cases.

The administration API provides information that can be helpful in diagnosing problems, but which may also be considered sensitive, like document information and specific processing tasks. Because of this, the administration sample or any application accessing the administration API of PrizmDoc Server should not be accessible to end-users or the public internet.

Ports

The following are the default ports that should be open to access PrizmDoc Server.

Single-server Mode:

Cluster Mode:

PrizmDoc Server also uses a number of ports for internal purposes. These ports must not be accessible from outside of the server.

Secure Viewing Sessions

The central configuration file contains properties that can help prevent users from setting inappropriate values should they attack the PrizmDoc Server, which could render performance problems with the server. These values are properties in the ViewingSessionProperties object that a client-user passes to PrizmDoc Server to start a viewing session.

The file paths for the Central Configuration file are:

Note: The default installation directory is: C:\Prizm.

For more information refer to the following topics:

The following configuration properties put limits on viewing session properties sensitive to abusive attacks:

Example - Central Configuration Properties
Copy Code
# Defines the min and max allowed values for the countOfInitialPages viewing
# session creation option.
#
# viewing.sessionConstraints.countOfInitialPages.min: 0
# viewing.sessionConstraints.countOfInitialPages.max: 10

# A regex which defines the pattern of an acceptable value for the
# documentExtension viewing session creation option.
#
# viewing.sessionConstraints.documentExtension.regex: ".*"

# A regex which defines the pattern of an acceptable value for the
# externalId viewing session creation option.
#
# viewing.sessionConstraints.externalId.regex: ".*"

# Defines the list of allowed values for the serverCaching viewing session
# creation option.
#
# Must be an array with one or more of the following strings:
#
# "none" - Allow REST API callers to create a new viewing session with caching
#          explicitly disabled.
#
# "full" - Allow REST API callers to create a new viewing session with caching
#          explicitly enabled.
#
# viewing.sessionConstraints.serverCaching.allowedValues: ["none","full"]

# Defines the list of allowed values for the alwaysUseRaster viewing session
# creation option.
#
# Must be an array with one or more of the following values:
#
# false - Allow REST API callers to create a new viewing session which will
#         generate both raster and vector page content. Ideal for modern
#         browsers.
# true -  Allow REST API callers to create a new viewing session which will
#         only generate raster content; vector content will not be generated.
#         This is useful for some older browsers.
#
# viewing.sessionConstraints.render.alwaysUseRaster.allowedValues: [false]
The following configuration properties have been deprecated and will be removed in a future release. Alter these properties only if not using the central configuration file.

The pcc.config file contains element tags that can help prevent users from setting inappropriate values should they attack the PrizmDoc Server, which could render performance problems with the server. These values are properties in the ViewingSessionProperties object that a client-user passes to PrizmDoc Server to start a viewing session. The following tags put limits on properties sensitive to abusive attacks:

Tags
Copy Code
<!--
  The regular expression check on ViewingSessionProperties.externalId to ensure appropriate values are being set. The default is to allow any string values.
  -->
  <ViewingSessionPropertyExternalId>.*</ViewingSessionPropertyExternalId>

 
  <!--
  The regular expression check on ViewingSessionProperties.documentExtension to ensure appropriate values are being set. The default is to allow any string values.
  -->
  <ViewingSessionPropertyDocumentExtension>.*</ViewingSessionPropertyDocumentExtension>

  <!--
   The minimum and maximum values allowed for ViewingSessionProperties.countOfInatialPages. Value of 0 means do all pages if min set to zero. The max value can be zero or a maximum value allowed for this property setting.
  -->
  <ViewingSessionPropertyCountOfInitialPages>min=0,max=10</ViewingSessionPropertyCountOfInitialPages>

  <!--
   The minimum and maximum dpi values allowed for rendering images.
  -->
  <Html5RenderRasterResolution>min=100,max=300</Html5RenderRasterResolution>

  <!--
  The permitted values for alwayseUseRaster can be true, false, or any (which means don't care). The default here is false which means svg files can be rendered.
-->
  <Html5RenderAcceptableRasterValue>false</Html5RenderAcceptableRasterValue>

  <!--
  The permitted values for serverCaching which can be none, full or any (which means take whatever is set). The default is none.
  -->
  <ViewingSessionPropertyServerCaching>none</ViewingSessionPropertyServerCaching>