ErotemeEroteme

Service Worker Security

Security considerations for the service worker and offline capabilities.

Overview

Eroteme uses a service worker for push notifications and offline capabilities. This document covers the security measures in place.

HTTPS Requirement

Service workers only work over HTTPS (or localhost for development). This ensures:

  • All communication is encrypted in transit
  • Man-in-the-middle attacks are prevented
  • Script integrity is maintained

Sensitive Data Exclusion

The service worker's cache strategy explicitly excludes sensitive data:

ExcludedReason
API responses with auth dataPrevents credential caching
Wallet signaturesOne-time use, should not be cached
Encrypted contentDecryption keys should not persist in cache
User session dataPrevents session hijacking from cached data

Cache Strategy

Static assets → Cache-first (fast loading)
API responses → Network-first (fresh data)
Auth endpoints → Network-only (never cached)

Push Notification Security

  • VAPID authentication — Server identity verified via VAPID keys
  • Encrypted payloads — Push messages encrypted end-to-end
  • Origin validation — Service worker only accepts pushes from the registered origin

Scope

The service worker scope is limited to the application origin. It cannot:

  • Intercept requests to other domains
  • Access data from other origins
  • Modify requests outside its scope

Previous

Wallet-Based Encryption

On this page