diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c
index 84385f57..2152a453 100644
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@@ -17,6 +17,7 @@
 #include "modsecurity.h"
 #include "msc_logging.h"
 #include "msc_util.h"
+#include "pdf_protect.h"
 #include "http_log.h"
 #include "apr_lib.h"
 #include "acmp.h"
@@ -112,6 +113,14 @@ void *create_directory_config(apr_pool_t *mp, char *path)
     dcfg->stream_inbody_inspection = NOT_SET;
     dcfg->stream_outbody_inspection = NOT_SET;
 
+    /* PDF XSS protection. */
+    dcfg->pdfp_enabled = NOT_SET;
+    dcfg->pdfp_secret = NOT_SET_P;
+    dcfg->pdfp_timeout = NOT_SET;
+    dcfg->pdfp_token_name = NOT_SET_P;
+    dcfg->pdfp_only_get = NOT_SET;
+    dcfg->pdfp_method = NOT_SET;
+
     /* Geo Lookups */
     dcfg->geo = NOT_SET_P;
 
@@ -523,6 +532,20 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
     merged->stream_outbody_inspection = (child->stream_outbody_inspection == NOT_SET
         ? parent->stream_outbody_inspection : child->stream_outbody_inspection);
 
+    /* PDF XSS protection. */
+    merged->pdfp_enabled = (child->pdfp_enabled == NOT_SET
+        ? parent->pdfp_enabled : child->pdfp_enabled);
+    merged->pdfp_secret = (child->pdfp_secret == NOT_SET_P
+        ? parent->pdfp_secret : child->pdfp_secret);
+    merged->pdfp_timeout = (child->pdfp_timeout == NOT_SET
+        ? parent->pdfp_timeout : child->pdfp_timeout);
+    merged->pdfp_token_name = (child->pdfp_token_name == NOT_SET_P
+        ? parent->pdfp_token_name : child->pdfp_token_name);
+    merged->pdfp_only_get = (child->pdfp_only_get == NOT_SET
+        ? parent->pdfp_only_get : child->pdfp_only_get);
+    merged->pdfp_method = (child->pdfp_method == NOT_SET
+        ? parent->pdfp_method : child->pdfp_method);
+
     /* Geo Lookup */
     merged->geo = (child->geo == NOT_SET_P
         ? parent->geo : child->geo);
@@ -678,6 +701,14 @@ void init_directory_config(directory_config *dcfg)
     if (dcfg->stream_inbody_inspection == NOT_SET) dcfg->stream_inbody_inspection = 0;
     if (dcfg->stream_outbody_inspection == NOT_SET) dcfg->stream_outbody_inspection = 0;
 
+    /* PDF XSS protection. */
+    if (dcfg->pdfp_enabled == NOT_SET) dcfg->pdfp_enabled = 0;
+    if (dcfg->pdfp_secret == NOT_SET_P) dcfg->pdfp_secret = NULL;
+    if (dcfg->pdfp_timeout == NOT_SET) dcfg->pdfp_timeout = 10;
+    if (dcfg->pdfp_token_name == NOT_SET_P) dcfg->pdfp_token_name = "PDFPTOKEN";
+    if (dcfg->pdfp_only_get == NOT_SET) dcfg->pdfp_only_get = 1;
+    if (dcfg->pdfp_method == NOT_SET) dcfg->pdfp_method = PDF_PROTECT_METHOD_TOKEN_REDIRECTION;
+
     /* Geo Lookup */
     if (dcfg->geo == NOT_SET_P) dcfg->geo = NULL;
 
@@ -2812,7 +2843,6 @@ static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg,
             if (intval < 0) {
                 return apr_psprintf(cmd->pool, "ModSecurity: SecCacheTransformations maxlen must be positive: %s", charval);
             }
-
             /* The NOT_SET indicator is -1, a signed long, and therfore
              * we cannot be >= the unsigned value of NOT_SET.
              */
@@ -2844,6 +2874,26 @@ static const char *cmd_cache_transformations(cmd_parms *cmd, void *_dcfg,
 }
 
 
+static const char *cmd_pdf_protect_method(cmd_parms *cmd, void *_dcfg,
+    const char *p1)
+{
+    directory_config *dcfg = (directory_config *)_dcfg;
+    if (dcfg == NULL) return NULL;
+
+    if (strcasecmp(p1, "TokenRedirection") == 0) {
+        dcfg->pdfp_method = PDF_PROTECT_METHOD_TOKEN_REDIRECTION;
+    } else
+    if (strcasecmp(p1, "ForcedDownload") == 0) {
+        dcfg->pdfp_method = PDF_PROTECT_METHOD_FORCED_DOWNLOAD;
+    } else {
+        return (const char *)apr_psprintf(cmd->pool,
+            "ModSecurity: Unrecognised parameter value for SecPdfProtectMethod: %s", p1);
+    }
+    
+    return NULL;
+}
+
+
 /* -- Configuration directives definitions -- */
 
 #define CMD_SCOPE_MAIN  (RSRC_CONF)
@@ -3520,6 +3570,14 @@ const command_rec module_directives[] = {
         "Set Hash key"
     ),
 
+    AP_INIT_TAKE1 (
+        "SecPdfProtectMethod",
+        cmd_pdf_protect_method,
+        NULL,
+        RSRC_CONF,
+        "protection method to use. Can be 'TokenRedirection' (default) or 'ForcedDownload'"
+    ),
+
     AP_INIT_TAKE1 (
         "SecHashParam",
         cmd_hash_param,
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index 72cdea16..ee990d11 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -547,6 +547,14 @@ struct directory_config {
     int                 stream_inbody_inspection;
     int                 stream_outbody_inspection;
 
+    /* PDF XSS Protection. */
+    int                  pdfp_enabled;
+    const char          *pdfp_secret;
+    int                  pdfp_timeout;
+    const char          *pdfp_token_name;
+    int                  pdfp_only_get;
+    int                  pdfp_method;
+
     /* Geo Lookup */
     geo_db              *geo;