I want to like PWAs. But what‘s the strategy to mitigate attack vectors like web server compromise and XSS? It seems like only a matter of time until honey pots are attractive enough, especially for lightning wallets. I‘m not sure the UX trade-offs of using browser extensions are workable as every signature/transaction would have to be confirmed within the context of the extension UI.
Discussion
The issues you mentioned are well-known in web development, not limited to PWAs. Online documentation offers excellent resources for best practices to address these problems. Services like Vercel simplify server configuration.
I recommend using Next.js to create your website. It offers server-side rendering and enable edge location, enhancing performance. It also supports Content Security Policy (CSP) to minimize XSS attacks. Additionally, it includes default PWA support.
Server-side rendering provides unlimited power and consistent user experiences across devices, it's a game-changer for developers and users don't even have to update the app.
Unfortunately none of the mitigation strategies you listed address the core issue. This post does a good job of detailing why it‘s trivial to extract key material from a web app https://tonyarcieri.com/whats-wrong-with-webcrypto
Yes, it's not 100% secure, but these mitigation practices definitely works. The more best practices you follow, the more expensive it becomes to exploit.
Even with native applications, governments literally pay billions of dollars for spyware named Pegasus, which can access your phone and they just have to send you a text DM.
But if you're asking whether it's secure enough to create a nostr clients and note app, I can assure you that it is. In fact, I believe it's even more capable than that.
But I also understand where you are coming from.
The main issue I see is the low cost of the attack vs the reward, especially for wallets. It‘s basically impossible to detect an attack deployed via web server. E.g. a server could target specific IP addresses. In contrast it‘s easy to detect a malicious app update as it would have to be pushed to all client devices. A state level actor compromising devices is quite expensive to do at scale.
And there are definitely levels to it. If you have a much larger and complex project, there are cloud providers that offer a wide range of security tools to meet your needs. They all have documentations for best practices.
The bottom line is that you can make web applications as secure as you want them to be.
the answer is simply, never to put keys into web apps. Use external signers (not extensions).
Native apps (amethyst/damus) could provide this facility, or the upcoming signing server from nostr:npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft
Is there a write up of how the signing server works?
there's also NIP 46