If you have questions or you find a bug please contact us by email.
Security for Web Push Notifications
Pushpad adopts multiple layers of protection against attackers that may want to send fraudulent push notifications to your users:
- Endpoints (i.e. the addresses of the recipients) are stored in our database and are not publicly accessible
- Endpoints are also associated to cryptographic key pairs through protocols like VAPID and thus can be used only if you also have access to the private keys; you can limit access to private keys in your account by using access tokens with restricted access
- Even if you have access to endpoints and private key pairs you also need access to the service worker or to Pushpad, because the address of Pushpad is hardcoded in the service workers and the notifications are fetched directly from our secure servers.
Pushpad also offers a reliable way to authenticate your users when they subscribe to push notification: in this way no one can pretend to be someone else to intercept confidential notifications.
We adopt many best practices to ensure the security of our service and the protection of data. For example:
- We make daily backups of the database and we store those backups off-site; the configuration of backups ensures that they cannot be deleted, even in the case of an attack to the main application; we also periodically try to restore the database backups to ensure that everything is working properly
- Only few, high-qualified people can access to the production servers
- We enforce HTTPS on public networks
- We keep the software updated
- We keep our application code clean and tested
- We store passwords securely (e.g. outside the source code) and we use alternative methods like public key cryptography
- We filter sensitive data from logs
- We perform checks on open ports
- We use trusted providers to run our service. Our main provider for IaaS is DigitalOcean, which offers certified datacenters located in Europe.