Table of Contents

Class SecurityPolicy

Namespace
NetPdf
Assembly
NetPdf.dll

Controls which URI schemes and hosts the resource loader is allowed to fetch from, plus per-resource size / time limits. The default is the BaseUri-sandbox model: file:// reads under BaseUri's directory subtree are permitted, but the rest of the filesystem and remote schemes (http/https) are not. This lets typical templates with relative <img src="logo.png"> work out of the box without exposing the host filesystem.

public sealed class SecurityPolicy
Inheritance
SecurityPolicy
Inherited Members

Properties

AllowDataUri

public bool AllowDataUri { get; init; }

Property Value

bool

AllowFileScheme

Allow reading any file via file:// URI. Requires explicit opt-in because it gives the loader full filesystem access. For sandboxed access to assets under BaseUri, prefer AllowFileSchemeUnderBaseUri.

public bool AllowFileScheme { get; init; }

Property Value

bool

AllowFileSchemeUnderBaseUri

Allow reading file:// URIs whose path is under the directory of the configured BaseUri (and only that subtree — path traversal outside it is blocked). Default true: lets relative <img src="logo.png"> work out of the box without exposing the rest of the filesystem.

public bool AllowFileSchemeUnderBaseUri { get; init; }

Property Value

bool

AllowHttpScheme

public bool AllowHttpScheme { get; init; }

Property Value

bool

AllowHttpsScheme

public bool AllowHttpsScheme { get; init; }

Property Value

bool

AllowedHosts

When non-empty and HTTP(S) is allowed, only requests whose host matches one of these entries are permitted. Wildcards permitted: *.example.com.

public IReadOnlyList<string> AllowedHosts { get; init; }

Property Value

IReadOnlyList<string>

MaxOutputBytes

Per SEC-5 — maximum size in bytes of the produced PDF. Bounds output amplification (huge image cascades, page explosions) independently of the page cap. When exceeded, the conversion aborts with an HtmlPdfException carrying PDF-OUTPUT-SIZE-EXCEEDED-001. Default is effectively unlimited (MaxValue) so trusted rendering is unchanged; UntrustedHtml caps at 50 MiB.

public long MaxOutputBytes { get; init; }

Property Value

long

MaxPages

Per SEC-5 — maximum number of PDF pages a single conversion may emit. A configurable, policy-driven cap layered ABOVE the pipeline's hard 20 000-page emergency backstop (which guards a non-advancing layout loop and stays regardless). Hostile HTML can amplify into an enormous page count (deeply repeated content, forced breaks); tighten this for untrusted input. When exceeded, the render stops at the cap + emits PDF-PAGE-LIMIT-EXCEEDED-001. Default 20 000 (the backstop) so trusted rendering is unchanged; UntrustedHtml uses 500.

public int MaxPages { get; init; }

Property Value

int

MaxRedirectHops

Per Phase C C-6 — maximum HTTP redirect hops to follow on a single resource fetch. Each hop must be re-validated against the rest of this policy via UriSafetyValidator.ValidateRedirect; even with that, hostile servers can construct redirect loops or "open redirect → SSRF" chains. 5 matches RFC 7231 §6.4 guidance + browser defaults.

public int MaxRedirectHops { get; init; }

Property Value

int

MaxResourceBytes

public long MaxResourceBytes { get; init; }

Property Value

long

MaxResourcesPerRender

Per Phase C C-5 — maximum number of distinct resources (images / fonts / stylesheets / etc.) the loader may fetch during one render. Defends against documents that reference thousands of resources to amplify outbound traffic. Real documents rarely exceed 50; the default of 200 leaves headroom for icon-heavy dashboards.

public int MaxResourcesPerRender { get; init; }

Property Value

int

MaxTotalResourceBytes

Per Phase C C-5 — maximum total bytes summed across every fetched resource for one render. Bounds the cumulative network + memory cost when an attacker references many small-but-numerous resources (each individually under MaxResourceBytes). 100 MiB is generous for any realistic document.

public long MaxTotalResourceBytes { get; init; }

Property Value

long

ResourceTimeout

public TimeSpan ResourceTimeout { get; init; }

Property Value

TimeSpan

SafeDefault

The default — BaseUri-sandboxed file:// reads, data URIs, no HTTP(S), 10 s timeout, 25 MB cap, 200 resources per render, 100 MiB total, 5 redirect hops. Suitable for most document-rendering scenarios out of the box.

public static SecurityPolicy SafeDefault { get; }

Property Value

SecurityPolicy

TrustedTemplate

Per Phase D D-2 — trusted-template profile. Mirrors SafeDefault + adds explicit naming so callers' intent is visible at the call site (SecurityPolicy.TrustedTemplate reads better than SecurityPolicy.SafeDefault when the caller knows the HTML source).

public static SecurityPolicy TrustedTemplate { get; }

Property Value

SecurityPolicy

UntrustedHtml

Per Phase D D-2 — strict profile for services that accept arbitrary customer HTML (web APIs, multi-tenant rendering). Disables every URL-fetching surface:

<ul><li><code>file:</code> — fully off (both flavors). HTML must
  not be able to read any local file.</li><li><code>http</code> + <code>https</code> — off. Even with the
  IP blocklist + AllowedHosts, the safest posture for
  untrusted input is to block external fetches entirely.</li><li><code>data:</code> — off. <code>data:text/html</code> + <code>data:image/svg+xml</code>
  are the standard SSRF/XSS sneak paths in HTML-to-PDF research.</li><li>Tighter per-render budgets (50 fetches, 20 MiB)
  so a hostile document can't amplify even within the
  reduced surface.</li></ul>

API services rendering customer HTML should pin this profile +
document the explicit-opt-in dance for any deviation.
Per the research basis (Intigriti SSRF payload list,
SideChannel converter sandbox guidance, AppSecEngineer
SSRF mitigations).
public static SecurityPolicy UntrustedHtml { get; }

Property Value

SecurityPolicy