Data transmission over HTTPS protocol
ScandiPWA uses a service worker which acts as a network proxy between frontend and backend. If at some point service worker control is taken by an attacker it can result in a man-in-the-middle attack.
Data transmission happens only over HTTPS protocol. This way it is made sure that all data passed between the Browser and Magento backend is securely encrypted. Service workers can be only registered on pages served over HTTPs ensuring the received service workers had not been tampered with.
Sensitive data security
ScandiPWA uses oauth2 to generate and validate user tokens for sensitive data requests. For all such requests only the POST method is used and they are not cached.
It is important to note that no sensitive data like Cart or Session tokens are stored in the URL.
Token and authorization information
Since Magento 2 configuration file is used for configurable parameters ScandiPWA doesn’t pass or use any configuration file which could potentially hold sensitive data like access keys. Such configuration information is stored in Magento 2 configuration file and requested every time it is needed.
ScandiPWA not affected by Magento 2 Frontend security flaws
ScandiPWA completely replaces Magento 2 frontend therefore it is not affected by any Magento 2 frontend security flaws.
ScandiPWA comes with all the security benefits of modern up to date browsers
ScandiPWA is a pure web application. It inherits all usability, performance, and security capabilities from the browser running it. It is important to use modern and up to date browsers for the most effective security.
Secured access to ElasticSearch and Redis
ReadyMage is configured to not have any public API endpoints to ElasticSearch and Redis used by ScandiPWA. Only applications within the project namespace that must have it can access it by controlled private access.
We hope you enjoyed the latest ScandiPWA updates. Follow us on Twitter or join the first Magento PWA community in our Slack channel where you can stay up-to-date with our work, explore the latest technical progress, ask questions, and meet other enthusiasts!
ScandiPWA is the first open-source PWA theme for Magento
