Document security with Nutrient Web SDK
When Nutrient Web SDK opens documents from Document Engine, developers gain enhanced security capabilities, including JWT-based authentication, built-in collaboration permissions for fine-grained access control, and server-side document processing that prevents direct PDF downloads. For information about different deployment options, refer to the operational modes guide.
User authentication
The PDF viewer client authenticates itself with your running Document Engine instance. This is done through a JSON Web Token(opens in a new tab) (JWT).
Your users then use the JWT your app supplied to authenticate themselves with the client, which will then return only the data the user is allowed to see. In general, a JWT will give the user access to a specific document and Instant layer combination.
For detailed information on generating JWTs, refer to the generate a JWT guide. For Web SDK-specific authentication implementation, refer to the client authentication with JWT guide.
User permissions
Collaboration Permissions is a feature that gives you a fine-grained permission system for defining actions enabled for individual users when multiple users are working on the same document. It can also control which actions a user can take and which resources a user can see.
For detailed information on available permissions and how to configure them in your JWT, refer to the setting user collaboration permissions guide.
Dynamic watermarking
Adding a non-removable watermark to documents can discourage viewers from sharing your content or taking screenshots. For an additional layer of security, you can use a custom watermark for each individual user that contains identifying information such as their name, timestamp, and ID. This makes it straightforward to trace any leaks back to the source.
For detailed information on adding watermarks to PDFs, refer to the add watermarks to PDFs guide.
Preventing download and distribution
Opening a remote document from a PDF viewer involves sending its data over a network to a user's client. This makes it impossible to fully prevent the user from downloading it. However, there are a few ways Nutrient Web SDK makes this more difficult, so as to discourage users who wish to do this:
- Our frontend SDKs can prevent a user from using the export toolbar item to download your document by omitting the button from the toolbar. For implementation details, refer to the hiding the download button guide.
- The actual PDF document isn't sent to the client at all. Instead, Nutrient Web SDK streams content from the document as image tiles. While this doesn't make downloading completely impossible, it acts as a deterrent by requiring users to capture and manually reconstruct image tiles. Users wouldn't have access to the actual PDF file with its text, links, and other metadata intact.
Preventing print and text selection
Our frontend SDKs can prevent a user from using the Print button in the PDF viewer by removing it from the toolbar. For implementation details, refer to the enabling and disabling printing guide.
It's also possible to disable text selection through configuration properties in our frontend SDKs. Refer to the disableTextSelection configuration option for more information.