Magento 2 PWA - security issues

What is a Progressive Web App
A Progressive Web App, or PWA, is a web application that uses modern web technologies and design patterns to provide a reliable, fast, and engaging user experience. PWA websites are fast, secure, responsive, and cross-browser compatible. They are able work offline and act like a native app on mobile.

PWA become a pretty popular for building modern eCommerce sites. The number of features, configuration and deployment options is only growing. With great flexibility there comes responsibility too.

Very often, access keys to payment api gateways remain publicly available. But here you have to blame the payment gateways more, because it does not restrict access. For example, the keys are bound to the server or to any hash generated in the backend, etc. With any information leak, you cannot access the api, you must also be a validated requestor.

but the main problems that remain after the launch of PWA site:

  • open ports
  • api key disclosure (3rd party services)
  • magento admin backend disclosure
  • wordpress admin backend disclosure
  • 3rd party config filenames and paths disclosure
  • custom backend and services auth locations disclosure
  • printing raw error log with root path disclosure
  • api extensions data disclosure without authorization

ISSUES ARE NOT DIRECTLY RELATED TO VSF, MAGENTO PWA STUDIO.
it only shows how third-party developers use bad practices, and misuse security with custom integrations.
PWA issues subject per project.

https://headless-security.org/

https://www.linkedin.com/posts/magenx_magento2-vuejs-magentocommerce-activity-6676795809536733184-T2tR