You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1.2 KiB
1.2 KiB
Security Audit Checklist for Web Push Service
Authentication & Authorization
- Basic auth implemented for admin endpoints
- VAPID authentication for push notifications
- Environment variable for admin password
- Consider rate limiting for subscription endpoints
- Consider adding API key authentication for public endpoints
Data Validation
- Input validation for subscription data
- Message size limits (100 chars)
- Notification type validation
- Consider adding input sanitization for messages
Database Security
- SQLite database with configurable path
- No raw SQL queries (uses SQLAlchemy ORM)
- Consider adding database connection pooling
- Consider encryption at rest for sensitive data
Push Notification Security
- VAPID key rotation capability
- Secure key generation using cryptography library
- Proper error handling for expired subscriptions
- Consider adding payload encryption
General Security
- Type hints for better code safety
- Error logging implemented
- Consider adding request logging
- Consider adding CORS protection
- Consider adding CSP headers