Navigation :

Methods

Base usage

This call will generate a PDF document, methods to get document are described below.

pdfmake.createPdf(docDefinition);
pdfmake.createPdf(docDefinition, options);

Parameters:

docDefinition - object with document definition, see chapter
options (optional) - advanced options see options chapter

Write the PDF document as file

pdfmake.createPdf(docDefinition).write(filename).then(() => {
	// finished
}, err => {
	console.error(err);
});

Parameters:

filename - PDF document file name
options (optional) - advanced options see options chapter

Get the PDF document as URL data

pdfmake.createPdf(docDefinition).getDataUrl().then((dataUrl) => {
	// ...
}, err => {
	console.error(err);
});

Get the PDF document as base64 data

pdfmake.createPdf(docDefinition).getBase64().then((data) => {
	console.log(data);
}, err => {
	console.error(err);
});

Get the PDF document as buffer

pdfmake.createPdf(docDefinition).getBuffer().then((buffer) => {
	// ...
}, err => {
	console.error(err);
});

Get the PDF document as stream

pdfmake.createPdf(docDefinition).getStream().then((stream) => {
	// ...
}, err => {
	console.error(err);
});

URL Access Policy

Minimal version: 0.3.6

The setUrlAccessPolicy() method allows you to define a custom security policy for external URLs before they are downloaded.

This can be used to restrict allowed domains, enforce HTTPS, or prevent SSRF attacks by blocking private or internal network addresses.

Basic example:

pdfmake.setUrlAccessPolicy((url) => {
    // check allowed domain
    return url.startsWith("https://example.com/");
});

Allow only https urls:

pdfmake.setUrlAccessPolicy((url) => {
  const parsed = new URL(url);

  if (parsed.protocol !== "https:") {
    return false;
  }

  return true;
});

Disallow localhost url:

pdfmake.setUrlAccessPolicy(async (url) => {
  const parsed = new URL(url);

  if (parsed.hostname === "localhost") {
    return false;
  }

  return true;
});

Example with basic SSRF protection:

import dns from 'dns/promises';

pdfmake.setUrlAccessPolicy(async (url) => {
  const parsed = new URL(url);

  // Resolve hostname to IP address
  const { address } = await dns.lookup(parsed.hostname);

  // Block localhost
  if (address === "127.0.0.1" || address === "::1") {
    return false;
  }

  // Block private IPv4 ranges
  if (
    address.startsWith("10.") ||
    address.startsWith("192.168.") ||
    address.startsWith("172.16.") ||
    address.startsWith("172.17.") ||
    address.startsWith("172.18.") ||
    address.startsWith("172.19.") ||
    address.startsWith("172.2") // 172.20–29
  ) {
    return false;
  }

  return true;
});