Class SecurityPolicy
- Namespace
- NetPdf
- Assembly
- NetPdf.dll
Controls which URI schemes and hosts the resource loader is allowed to fetch from,
plus per-resource size / time limits. The default is the BaseUri-sandbox model:
file:// reads under BaseUri's directory subtree are
permitted, but the rest of the filesystem and remote schemes (http/https) are not.
This lets typical templates with relative <img src="logo.png"> work
out of the box without exposing the host filesystem.
public sealed class SecurityPolicy
- Inheritance
-
SecurityPolicy
- Inherited Members
Properties
AllowDataUri
public bool AllowDataUri { get; init; }
Property Value
AllowFileScheme
Allow reading any file via file:// URI. Requires explicit opt-in because it gives the loader full filesystem access. For sandboxed access to assets under BaseUri, prefer AllowFileSchemeUnderBaseUri.
public bool AllowFileScheme { get; init; }
Property Value
AllowFileSchemeUnderBaseUri
Allow reading file:// URIs whose path is under the directory of the configured
BaseUri (and only that subtree — path traversal
outside it is blocked). Default true: lets relative
<img src="logo.png"> work out of the box without exposing the
rest of the filesystem.
public bool AllowFileSchemeUnderBaseUri { get; init; }
Property Value
AllowHttpScheme
public bool AllowHttpScheme { get; init; }
Property Value
AllowHttpsScheme
public bool AllowHttpsScheme { get; init; }
Property Value
AllowedHosts
When non-empty and HTTP(S) is allowed, only requests whose host matches one of
these entries are permitted. Wildcards permitted: *.example.com.
public IReadOnlyList<string> AllowedHosts { get; init; }
Property Value
MaxOutputBytes
Per SEC-5 — maximum size in bytes of the produced PDF. Bounds output
amplification (huge image cascades, page explosions) independently of the page cap.
When exceeded, the conversion aborts with an HtmlPdfException carrying
PDF-OUTPUT-SIZE-EXCEEDED-001. Default is effectively unlimited
(MaxValue) so trusted rendering is unchanged;
UntrustedHtml caps at 50 MiB.
public long MaxOutputBytes { get; init; }
Property Value
MaxPages
Per SEC-5 — maximum number of PDF pages a single conversion may emit.
A configurable, policy-driven cap layered ABOVE the pipeline's hard
20 000-page emergency backstop (which guards a non-advancing layout loop and stays
regardless). Hostile HTML can amplify into an enormous page count (deeply repeated
content, forced breaks); tighten this for untrusted input. When exceeded, the render
stops at the cap + emits PDF-PAGE-LIMIT-EXCEEDED-001. Default 20 000 (the
backstop) so trusted rendering is unchanged; UntrustedHtml uses 500.
public int MaxPages { get; init; }
Property Value
MaxRedirectHops
Per Phase C C-6 — maximum HTTP redirect hops to follow on a
single resource fetch. Each hop must be re-validated against the
rest of this policy via UriSafetyValidator.ValidateRedirect;
even with that, hostile servers can construct redirect loops or
"open redirect → SSRF" chains. 5 matches RFC 7231 §6.4 guidance
+ browser defaults.
public int MaxRedirectHops { get; init; }
Property Value
MaxResourceBytes
public long MaxResourceBytes { get; init; }
Property Value
MaxResourcesPerRender
Per Phase C C-5 — maximum number of distinct resources (images / fonts / stylesheets / etc.) the loader may fetch during one render. Defends against documents that reference thousands of resources to amplify outbound traffic. Real documents rarely exceed 50; the default of 200 leaves headroom for icon-heavy dashboards.
public int MaxResourcesPerRender { get; init; }
Property Value
MaxTotalResourceBytes
Per Phase C C-5 — maximum total bytes summed across every fetched resource for one render. Bounds the cumulative network + memory cost when an attacker references many small-but-numerous resources (each individually under MaxResourceBytes). 100 MiB is generous for any realistic document.
public long MaxTotalResourceBytes { get; init; }
Property Value
ResourceTimeout
public TimeSpan ResourceTimeout { get; init; }
Property Value
SafeDefault
The default — BaseUri-sandboxed file:// reads, data URIs, no HTTP(S), 10 s timeout, 25 MB cap, 200 resources per render, 100 MiB total, 5 redirect hops. Suitable for most document-rendering scenarios out of the box.
public static SecurityPolicy SafeDefault { get; }
Property Value
TrustedTemplate
Per Phase D D-2 — trusted-template profile.
Mirrors SafeDefault + adds explicit naming so
callers' intent is visible at the call site
(SecurityPolicy.TrustedTemplate reads better than
SecurityPolicy.SafeDefault when the caller knows the
HTML source).
public static SecurityPolicy TrustedTemplate { get; }
Property Value
UntrustedHtml
Per Phase D D-2 — strict profile for services that accept arbitrary customer HTML (web APIs, multi-tenant rendering). Disables every URL-fetching surface:
<ul><li><code>file:</code> — fully off (both flavors). HTML must
not be able to read any local file.</li><li><code>http</code> + <code>https</code> — off. Even with the
IP blocklist + AllowedHosts, the safest posture for
untrusted input is to block external fetches entirely.</li><li><code>data:</code> — off. <code>data:text/html</code> + <code>data:image/svg+xml</code>
are the standard SSRF/XSS sneak paths in HTML-to-PDF research.</li><li>Tighter per-render budgets (50 fetches, 20 MiB)
so a hostile document can't amplify even within the
reduced surface.</li></ul>
API services rendering customer HTML should pin this profile +
document the explicit-opt-in dance for any deviation.
Per the research basis (Intigriti SSRF payload list,
SideChannel converter sandbox guidance, AppSecEngineer
SSRF mitigations).
public static SecurityPolicy UntrustedHtml { get; }