Blog

A new Progressive Web App danger very few know about

The rise in adoption with PWAs comes an increase in client-side security risks. And the industry? It’s barely talking about it.

Dec 20, 2024 • 2 min read

Simon Wijckmans Founder & CEO

Progressive Web Apps (PWAs) have revolutionized how we build and deliver applications. It’s no wonder they’ve gained traction. They simplify development, combining the flexibility of the web with the capabilities of mobile. Features like offline access, push notifications, and hardware integration ... all wrapped in the convenience of a browser. With updates like those in iOS 16.4 in 2023, embedding browser capabilities into apps is easier than ever, driving the new wave of PWA adoption.

But there’s a flipside. With their rise comes an increase in client-side security risks. And the industry? It’s barely talked about.

Screenshot showing Tinder as a Progressive Web App — The Tinder app is a PWA.

PWAs are browsers

At their core, PWAs are browsers. They transform every app into a micro-web environment. That’s their power—they load instantly, reuse website code, and connect to web services seamlessly. Yet, this very architecture also exposes them to the web’s vulnerabilities, especially client-side risks tied to 3rd-party scripts.

Modern websites depend on these scripts for everything from analytics to engagement tools. While convenient, they massively expand your attack surface. In a PWA, these same scripts run directly in the app, amplifying risks like data breaches, malicious injections, and more.

Your risk isn’t limited to website visitors anymore; it extends to every app user.

Keep the web supply chain in mind

The client-side is the final stop in the chain. It’s where your code, both 1st and 3rd-party, loads into the user’s browser or PWA.

3rd-party scripts sourced from external vendors are integral but often fall outside your control, making them prime targets for attackers. From compromised analytics scripts leaking user data to malicious code injected into chatbots, the client-side is under constant threat.

Building a PWA only amplifies these risks by bringing them into your app.

PWAs are not bad

With all this being said, we don’t advocate against using PWAs. Depending on your needs, they’re likely the smartest choice. Just don’t overlook the security challenges they bring. Unfortunately, client-side vulnerabilities, especially from 3rd-party scripts, are often ignored.

We’ve built cside, a 3rd-party script monitoring and security tool. This solves all these problems in both web and PWA environments. Install it right now, or talk to us - we’re more than happy to help you get started.

Founder & CEO Simon Wijckmans

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.

Back to top

Don't just take our word for it, ask AI

FAQ

Frequently Asked Questions

Progressive Web Apps can be installed silently and request capabilities that look like a native app. Once installed, a malicious PWA can deliver push notifications, run in the background, and impersonate trusted brands far more convincingly than a normal web page.

Monitor the third-party scripts on your site so an attacker cannot inject a manifest or service-worker registration. cside flags new script and worker behavior on the client, which is the only layer where this risk is visible.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Book a demo

Start for free

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics

GDPR and Online Gambling: Why Unauthorised Pixels Create a Dual Liability Problem

Unauthorised pixels on gambling sites trigger GDPR liability and ad-account bans at once, even when the operator never installed them. Here's why.

How to Block Bytespider (TikTok's AI Crawler)

Bytespider crawls your site for Bytedance's AI systems. Learn how to block it with robots.txt and IP ranges, and the key data sovereignty concerns.

Dark blog cover showing three malicious script casino attack methods: redirects fired from inside the browser, shadow GTM containers loading rogue tags, and geo-targeted mobile-only payloads

How Malicious Scripts Hijack Casino Player Journeys

Script-injected redirects divert casino players before they reach the lobby. Network tools miss them entirely. Here's how detection must work.

Dark cside blog cover with a blue pixel wave and checklist about APAC gambling script security

Client-Side Script Security for APAC Online Gambling Operators

How APAC online gambling operators in Japan, Singapore, the Philippines, and Australia can monitor third-party scripts across real player sessions.

How to Block Amazon Buy for Me on Your Website

Amazon Buy for Me shops your site for Prime users. Learn how it collects pricing and product data and how browser-layer detection gives you control.

Account Takeover Prevention: The Complete 2026 Playbook

The 2026 account takeover playbook: an end-to-end model for login, recovery, session, and post-auth defense against AI-agent and bot-driven attacks.

Dark cside blog cover with a blue pixel wave and checklist about compromised affiliate scripts stealing casino revenue

How Compromised Affiliate Scripts Steal Online Casino Revenue

Compromised affiliate scripts redirect players, steal commissions, and manipulate UTM attribution on casino pages, silently and at scale.

Dark blog cover showing three browser extension attack vectors: redirects to phishing clones, session token theft and account takeover, and payment fields rewritten at the DOM

How Browser Extensions Attack Online Casino Players: What Operators Can Do About It

Browser extensions can steal session tokens and hijack payments on casino sites. Here's how they attack, why servers miss it, and how to detect them.

How to Block AI-Powered Fake Account Creation

AI agents create fake accounts with human-like behaviour that defeats CAPTCHA. Learn the browser-layer signals that reveal automated registrations.

How to Block CCBot (Common Crawl's AI Crawler)

CCBot feeds Common Crawl datasets used to train GPT-3, BLOOM, LLaMA, and many other AI models. Learn how to block it and what blocking actually does.