Summary of ScandiPWA Security

Data transmission over HTTPS protocol

ScandiPWA uses a service worker which acts as a network proxy between frontend and backend. If at some point service worker control is taken by an attacker it can result in a man-in-the-middle attack.

Data transmission happens only over HTTPS protocol. This way it is made sure that all data passed between the Browser and Magento backend is securely encrypted. Service workers can be only registered on pages served over HTTPs ensuring the received service workers had not been tampered with.

Sensitive data security

ScandiPWA uses oauth2 to generate and validate user tokens for sensitive data requests. For all such requests only the POST method is used and they are not cached.

It is important to note that no sensitive data like Cart or Session tokens are stored in the URL.

Token and authorization information

Since Magento 2 configuration file is used for configurable parameters ScandiPWA doesn’t pass or use any configuration file which could potentially hold sensitive data like access keys. Such configuration information is stored in Magento 2 configuration file and requested every time it is needed.

ScandiPWA not affected by Magento 2 Frontend security flaws

ScandiPWA completely replaces Magento 2 frontend therefore it is not affected by any Magento 2 frontend security flaws.

ScandiPWA comes with all the security benefits of modern up to date browsers

ScandiPWA is a pure web application. It inherits all usability, performance, and security capabilities from the browser running it. It is important to use modern and up to date browsers for the most effective security.

Secured access to ElasticSearch and Redis

ReadyMage is configured to not have any public API endpoints to ElasticSearch and Redis used by ScandiPWA. Only applications within the project namespace that must have it can access it by controlled private access.

We hope you enjoyed the latest ScandiPWA updates. Follow us on Twitter or join the first Magento PWA community in our Slack channel where you can stay up-to-date with our work, explore the latest technical progress, ask questions, and meet other enthusiasts!

ScandiPWA is the first open-source PWA theme for Magento



The First Open Source PWA Theme for Magento

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store