Home > Blockchain >  Can a server trust any endpoint url from a web-push subscription?
Can a server trust any endpoint url from a web-push subscription?

Time:02-22

Even if a user is authenticated, there is no assurance that they are not a malicious hacker. How can I validate the push servers from the web push subscription endpoints? Is there a white list of push servers? Is there any other approach to validation? How can I do this in Java?

CodePudding user response:

We maintain and use this whitelist in production, it is still valid:

https://github.com/pushpad/known-push-services

You should connect only to the whitelisted hosts to avoid unexpected behaviors - otherwise a non response, slow response, etc. from malicious servers can degrade your services.

Then when you connect to a known / trusted host you can simply validate the HTTP status code.

  • Related