Secure PWAs: HTTPS, CSP, and Security Best Practices Quiz Quiz

Explore your understanding of Secure PWAs with this quiz focused on HTTPS, Content Security Policy, and web application security best practices. Gain practical insight into recognizing vulnerabilities and implementing robust security controls to protect users and data in modern web applications.

1. HTTPS Requirement for PWAs

   Why is using HTTPS mandatory for Progressive Web Apps, for example when enabling service workers and push notifications?

   1. HTTPS prevents all server-side security vulnerabilities automatically.
   2. HTTPS is only required for faster loading times, not for security.
   3. HTTPS ensures encrypted data transmission and enables security-sensitive features like service workers.
   4. Service workers function identically over HTTP and HTTPS.

   Explanation: Using HTTPS is mandatory for PWAs because it encrypts data in transit and is required for sensitive features like service workers and push notifications to prevent attackers from intercepting or tampering with data. Option B is incorrect as HTTPS provides critical security, not just faster load times. Option C is wrong because service workers are disabled on non-secure origins. Option D is not accurate since HTTPS does not address server-side security issues by itself.

2. Understanding Content Security Policy (CSP)

   What is the core purpose of implementing a Content Security Policy (CSP) in a Progressive Web App scenario?

   1. CSP makes all web content load faster by caching resources.
   2. CSP is only for blocking pop-up windows on web applications.
   3. CSP restricts the sources from which content like scripts and images can be loaded, mitigating XSS attacks.
   4. CSP automatically updates third-party libraries to their latest versions.

   Explanation: The main purpose of a CSP is to reduce the risk of cross-site scripting (XSS) by restricting the sources from which various types of content can be loaded. Option B confuses CSP with caching mechanisms, which is incorrect. Option C erroneously limits CSP to pop-up blocking when it actually impacts all resource types. Option D misrepresents CSP's function—it does not update third-party libraries.

3. Service Workers and Security

   In the context of PWAs, why must service workers be registered only on secure origins such as HTTPS, and not on HTTP sites?

   1. Service workers only improve battery life on secure origins.
   2. Service workers need HTTPS to prevent CSS styling issues.
   3. Service workers are not supported on any web platforms.
   4. Service workers have broad control over network requests and could be abused on insecure origins.

   Explanation: Service workers are powerful scripts that intercept and handle network requests, so allowing them on insecure HTTP origins could enable attackers to manipulate content or steal data. Option B incorrectly relates service workers to CSS styling, which is unrelated. Option C is wrong because service workers are indeed supported on secure platforms. Option D inaccurately associates service workers with battery optimization exclusively on secure origins.

4. Mitigating Cross-Site Scripting in PWAs

   Which security measure is most effective for reducing the risk of cross-site scripting (XSS) attacks in a PWA that handles user comments?

   1. Disabling all images, stylesheets, and user input entirely.
   2. Relying solely on HTTPS to prevent all types of XSS attacks.
   3. Allowing users to include JavaScript in their comments for flexibility.
   4. Implementing strict input validation and output encoding for all user-generated content.

   Explanation: Validating user input and encoding output are essential steps to prevent malicious scripts from executing and to protect against XSS. Option B introduces risk rather than reducing it. Option C overstates what HTTPS can do, as it does not address XSS specifically. Option D is overly restrictive and would degrade user experience without actually addressing XSS directly.

5. Evaluating Common Security Best Practices

   When deploying a PWA, which practice most effectively strengthens the application's protection against code injection and data breaches?

   1. Regularly updating dependencies and libraries to patch known vulnerabilities.
   2. Making password fields visible for easier debugging.
   3. Allowing all origins to access your application's API via permissive CORS headers.
   4. Storing sensitive tokens in local storage for quick access.

   Explanation: Keeping dependencies and libraries updated helps address newly discovered vulnerabilities that attackers could exploit. Option B reduces security by exposing sensitive information. Option C opens the application to potential cross-origin attacks by allowing all origins without restriction. Option D is unsafe, as storing sensitive data in local storage increases the risk of exposure to XSS attacks.