Security

Last updated: April 13, 2026

PDFSpark is a free public API. This page explains the security controls we have in place, how we handle data in transit and in memory, and how to report a vulnerability.

Transport

• All traffic to pdfspark.dev is served over HTTPS. HTTP requests are redirected by Azure Front Door / Azure App Service to HTTPS.
• TLS is terminated by Azure App Service using managed certificates.
• HTTP security headers are applied via Helmet: X-Content-Type-Options: nosniff, X-DNS-Prefetch-Control, X-Download-Options, X-Frame-Options, Strict-Transport-Security, and more.

Request handling

• Request bodies are capped at 70 MB to prevent resource exhaustion.
• Each request receives a unique X-Request-Id header used for correlation in logs and error telemetry.
• Per-IP rate limiting is enforced through express-rate-limit. Excess traffic receives 429 Too Many Requests.

SSRF protection for URL rendering

The POST /api/v1/pdf/from-url endpoint renders a user-supplied URL in headless Chromium. To prevent server-side request forgery we validate the URL before the browser fetches it:

• Only http and https schemes are allowed.
• localhost, 127.0.0.1, 0.0.0.0, and IPv6 loopback (::1) are blocked.
• IPv4 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are blocked.
• Link-local 169.254.0.0/16 — including cloud instance metadata endpoints — is blocked.
• IPv6 unique-local and link-local ranges are blocked.

Browser isolation

• Each PDF render uses a fresh browser context that is discarded after the request completes.
• JavaScript executes with the Chromium sandbox enabled.
• The browser cannot reach the host filesystem — the container image runs as a non-root user.

Data at rest

There is no database. Submitted HTML, URL content, and generated PDFs exist only in server memory for the lifetime of a single request. Nothing is written to persistent storage. See the Privacy Policy.

Logging and telemetry

• Operational access logs (IP, method, path, status, latency, user-agent) are retained for up to 30 days.
• Error and performance telemetry is sent to Azure Application Insights hosted in Germany West Central.
• We do not log submitted HTML, URL content, or generated PDF bytes.

Infrastructure

• Hosted on Microsoft Azure App Service for Containers, Germany West Central region.
• Container images are built by GitHub Actions and pushed to GitHub Container Registry (GHCR).
• Deployments are promoted only after CI passes (lint, type check, unit tests, integration tests).

Dependencies

We monitor third-party packages with automated dependency scanning and apply security patches as they are published.

Responsible disclosure

If you discover a vulnerability, please report it privately before disclosing publicly.

• Channel: email security@softvoyagers.com with a proof-of-concept and reproduction steps.
• We will acknowledge within 5 business days and provide a status update within 15 business days.
• Please allow a reasonable remediation window (typically 30–90 days depending on severity) before public disclosure.

In scope

• pdfspark.dev and softvoyagers-pdfspark.azurewebsites.net
• The /api/v1/* REST API
• The marketing pages served from the same domain

Out of scope

• Social engineering, physical attacks, and denial-of-service testing.
• Reports about missing security headers on pages that do not accept user input.
• Vulnerabilities in third-party dependencies already reported upstream.
• Clickjacking on pages without sensitive actions.

Safe harbor

Good-faith security research that respects this policy and does not exfiltrate user data, degrade service, or test prohibited scope will not be pursued. Rate-limit bypass attempts, credential stuffing, and large automated scans are not considered good-faith research.