In the spec I can find this definition of endpoint:
A push subscription has an associated push endpoint. It MUST be the absolute URL exposed by the push service where the application server can send push messages to. A push endpoint MUST uniquely identify the push subscription.
However you don't mention that the endpoint must be hard to guess (e.g. include a secure random). This was implicit for the first versions of the spec (VAPID was not present), but now I think that you should write that explicitly. All browsers currently do that but I cannot find it in the spec.
This is really important for security: for example the endpoint can be used by a Javascript SDK to update the data associated to that endpoint (e.g. tags) on the application server. If someone can guess an endpoint, then it can also alter the data (e.g. tags) associated to that endpoint in the database.
martinthomson
commented
5 years ago
In the spec I can find this definition of endpoint:
However you don't mention that the endpoint must be hard to guess (e.g. include a secure random). This was implicit for the first versions of the spec (VAPID was not present), but now I think that you should write that explicitly. All browsers currently do that but I cannot find it in the spec.
This is really important for security: for example the endpoint can be used by a Javascript SDK to update the data associated to that endpoint (e.g. tags) on the application server. If someone can guess an endpoint, then it can also alter the data (e.g. tags) associated to that endpoint in the database.