Back to projects

Time Locked PDF

Solo security architecture, build, and deployment

Time Locked PDF answers a deceptively simple question: how do you make a document genuinely unreachable outside a specific time window? Exam papers, timed assignments, and scheduled releases all break if a user can just change their system clock or replay an old link. I designed the security architecture and built the full system end to end.

The trust boundary sits entirely server-side. Vercel serverless functions perform every time check — the client clock is never trusted — and documents are served through signed URLs with automatic expiry, so a leaked link dies on schedule. The embedded PDF.js viewer blocks direct downloads during restricted windows and watermarks authorised views, while the access layer logs every attempt. Getting it production-ready meant working through the unglamorous edge cases: timezone differences, daylight-saving transitions, concurrent access, and deliberate clock-manipulation and replay attempts, all of which were tested before launch.

View SourceVisit Website

Built With

HTML/JSVercel FunctionsSigned URLsPDF.js

Highlights

  • Server-side time validation as the single source of truth — defeats client clock manipulation by design, verified with simulated tampering attempts.
  • Signed URLs with automatic expiration, so document links are useless outside their access window even if shared or leaked.
  • Embedded in-browser viewer that blocks direct downloads during restricted periods and watermarks every authorised view.
  • Access logging and an analytics dashboard for auditing who attempted access and when.
  • Hardened against real-world messiness: timezone differences, daylight-saving transitions, and concurrent access were all explicitly tested.

Security Considerations

  • Threat model covers clock manipulation, URL tampering, replay attacks, and unauthorised redistribution — each with a server-side mitigation.
  • Rate limiting on access attempts to slow brute-force probing of access windows.
  • Transport and content hardening at launch: HTTPS enforcement, CORS policies, and content security headers.
  • Security architecture documented for future maintainers as part of the handover-ready launch.

Project Timeline

Use Case Discovery

Apr 2024

Identified the need for time-restricted document access — exam papers, timed assignments, and scheduled content releases that shouldn't be reachable outside a specific window.

Security Architecture

May 2024

Designed the access flow: server-side time verification to defeat client-clock manipulation, signed URLs for document access, and automatic expiration.

Serverless Functions

Jun 2024

Built Vercel serverless functions for time validation, PDF serving with signed URLs, and access logging. All time checks happen server-side.

Frontend Access Interface

Jul 2024

Built a clean UI showing countdown timers, access windows, and document availability with clear locked/unlocked indicators.

PDF Viewer Integration

Sep 2024

Embedded an in-browser PDF viewer that blocks direct downloads during restricted periods and watermarks authorised views.

Edge Case Handling

Oct 2024

Addressed timezone differences, daylight saving transitions, and concurrent access scenarios. Added graceful degradation for slow connections.

Anti-Tampering Measures

Nov 2024

Server-side validation against URL manipulation and replay attacks, with rate limiting on access attempts.

Testing & Validation

Dec 2024

Tested across timezones, browsers, and devices. Simulated clock manipulation attempts to confirm the server-side enforcement holds.

Security Hardening & Launch

Jan 2025

Applied final constraints — HTTPS enforcement, CORS policies, content security headers — and deployed to Vercel.

Monitoring & Iteration

Feb 2025

Added an access analytics dashboard, refined the UI from user feedback, and documented the security architecture for future maintainers.