Securely Share PDFs Without Uploading to Third‑Party Sites: A Step‑by‑Step Guide for Legal Teams
Legal departments handle contracts, evidence files, and other highly confidential documents. The common workflow of uploading a PDF to a cloud‑based sharing service instantly creates a security risk: the file lives outside your corporate perimeter, and you lose granular control over who can view it and for how long.
What if you could embed a secure, encrypted PDF viewer directly into your .NET web portal, guaranteeing that the document never touches a third‑party server?
In this guide we’ll walk you through a practical, enterprise‑grade solution built with DoconutApp—an 100 % plug‑in‑free PDF viewer that runs natively in .NET 6+ environments. By the end you’ll have a fully auditable preview experience that meets the strict compliance requirements of law firms and corporate legal teams.
Why Traditional Cloud Sharing Falls Short
| Risk | Typical Cloud Service | How DoconutApp Eliminates It |
|---|---|---|
| Data exile – file stored on external servers | Files are persisted on the provider’s storage, often in regions you cannot control. | PDFs stay on your own infrastructure, encrypted at rest. |
| Loss of control over access lifetimes | Sharing links can be forwarded indefinitely. | Time‑bound, single‑use tokens ensure a preview expires automatically. |
| Compliance gaps | Auditing logs are often limited to “download” events. | Full server‑side logging of every preview request (user, IP, timestamp). |
| Plugin dependence | Many viewers require Flash, ActiveX, or browser extensions. | Pure HTML5/JavaScript viewer runs in any modern browser without plugins. |
Solution Overview
- Add the DoconutApp viewer library to your .NET project.
- Encrypt PDFs on disk using a server‑side key.
- Embed the viewer component in a Razor page or MVC view, passing the token via query string.
- Log every preview request for audit trails and anomaly detection.
Below is a detailed walkthrough of each step, including best‑practice recommendations for key management, token security, and compliance logging.
Step 1 – Prepare Your .NET Environment
-
Open your solution in Visual Studio (2022 or later recommended).
-
Target .NET 6 or newer – DoconutApp’s viewer is built on modern .NET APIs and takes advantage of
System.Security.Cryptographyimprovements. -
Install the NuGet package:
dotnet add package DoconutApp.ViewerThink of this package as installing a high‑security vault door on your application: once added, the door is ready to be locked and unlocked programmatically.
Additional Tips
- Store the package reference in a
Directory.Packages.propsfile for centralized version management across multiple services.
Step 2 – Store PDFs with Strong Encryption
2.1 Choose an Encryption Algorithm
DoconutApp’s EncryptPdfAsync uses AES‑256‑GCM by default, providing authenticated encryption (confidentiality + integrity). This meets most regulatory frameworks (e.g., GDPR, HIPAA, ISO 27001).
2.2 Implement Secure Key Management
- Never hard‑code keys. Use Azure Key Vault, AWS KMS, or HashiCorp Vault to retrieve the encryption key at runtime.
- Rotate keys regularly (every 90 days is a common practice). DoconutApp can re‑encrypt existing files with a new key using a batch job.
Step 3 – Generate a Time‑Bound, One‑Use Token
The preview token acts like a single‑use badge that expires automatically. It embeds:
- User ID – Who is allowed to view the document.
- PDF ID – Which encrypted file to stream.
- Expiration – Usually 5–10 minutes, configurable per policy.
- Signature – HMAC or RSA signed to prevent tampering.
3.1 Security Considerations
- TLS everywhere – Always serve the token over HTTPS.
- Least privilege – Encode only the data required for preview; avoid embedding extra claims.
- Token revocation – A simple “blacklist” in Redis allows immediate revocation if a user’s access rights change.
Step 4 – Embed the DoconutApp Viewer
4.1 Server‑Side Streaming Endpoint
- In‑memory decryption guarantees the plaintext never touches the file system.
- The viewer runs completely client‑side using HTML5 canvas and PDF.js, sandboxed by the browser.
4.2 No Plugins Required
Because DoconutApp relies on standard web technologies, it works across Chrome, Edge, Firefox, and Safari without any additional plugins, ActiveX controls, or Flash dependencies.
Step 5 – Audit & Log Access for Compliance
Legal teams often need a tamper‑evident trail of who viewed which contract and when. Implement a structured logging pipeline:
| Field | Description |
|---|---|
UserId | Identifier of the requesting legal professional |
PdfId | Internal reference to the encrypted document |
Timestamp | UTC time of the preview request |
IpAddress | Source IP (helpful for geo‑location checks) |
UserAgent | Browser string for forensic analysis |
Result | Success / Failure (e.g., token invalid, decryption error) |
Best Practices
- Store logs in an append‑only, immutable datastore (e.g., Azure Log Analytics, Splunk, or a write‑once S3 bucket).
- Enable alerting for abnormal patterns—such as the same token used from two distinct IPs within seconds.
- Retention policy: Keep logs for the period required by your jurisdiction (commonly 7 years for legal records).
Quick Recap
- Add the DoconutApp viewer NuGet package to your .NET 6+ project.
- Encrypt PDFs on write with AES‑256‑GCM; manage keys via a vault service.
- Issue a short‑lived, single‑use preview token (JWT) when a user requests a view.
- Embed the viewer in a Razor page; the viewer fetches, decrypts, and renders the PDF entirely in memory—no third‑party uploads, no plugins.
- Log every preview for auditability and compliance, with real‑time alerts for suspicious activity.
Conclusion
Secure PDF sharing doesn’t have to involve cumbersome third‑party services or risky file transfers. By leveraging DoconutApp’s enterprise‑grade viewer, your legal department can present confidential contracts, litigation exhibits, and internal policies directly within your existing .NET web portal—with end‑to‑end encryption, fine‑grained access control, and full audit trails.
Ready to protect your legal documents the modern way? Visit doconut.com, sign up for a 30‑day free trial, and download the starter kit that includes all the code snippets from this guide.
Implementing these steps will give compliance officers peace of mind, reduce the attack surface, and keep your PDFs firmly inside your corporate firewall—exactly the security posture any legal team needs.
Stay secure, stay compliant, and keep those sealed envelopes where they belong: inside your own vault.