Re: Securing PDF file on a Website

Much simpler to have a password protected directory in IIS or Apache or 
whatever and just require them to enter a password and username to access to 
the directory with the file in it (they can remember a username and password 
I hope =). Or require a user SSL certificate if you're very paranoid (but 
then you get into building a CA< issuing certificates, etc, a very non 
trivial amount of work).This is covered in the IIS and Apache documentation. 
For example what I use on my server to restrict access to the /admin/ 
directory:

$ cat /var/www/html/admin/.htaccess

AuthType Basic
AuthName "admin area"
AuthUserFile /var/www/etc/passwd
AuthGroupFile /var/www/etc/group
require group admin

$ cat /var/www/etc/group
admin:kurt

$ cat /var/www/etc/passwd
kurt:9273tf9gwq(not my real password obviously)


use htpasswd and a text editor to create your password and groups file, very 
simple as you can see.

In IIS:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cc461c52-7a1b-4fd8-a790-128339056bba.mspx

Also use an SSL enabled server (HTTPS) so that attackers can't sniff 
credentials (or simply copy the document).

But if you like needless complication and creating new security issues the 
program to create the PDF on the fly is the way to go.

-Kurt Seifried
http://seifried.org/security/