Security Concerns in Novu: Preventing Unauthorized Notification Access
I'm a beginner using Novu, and I have a security-related question. An attacker only needs the
NOVU_APPLICATION_IDENTIFIER and subscriberId to listen to a victim's notifications, and both of these are easily obtainable because NOVU_APPLICATION_IDENTIFIER is exposed on the client side, and subscriberId in SQL databases is often an incrementing number, making it predictable.
Novu's current security solution for this issue is to use subscriberHash when connecting. However, an attacker can modify the client code to connect without including subscriberHash since there is no configuration on Novu's host that enforces a requirement for subscriberHash to be present when users connect.3 Replies
@Rot4tion
we have subscriberHash option
https://docs.novu.co/inbox/react/production
Novu
Production Setup for React - Novu
Learn how to prepare your React notification inbox for production deployment including HMAC encryption and security best practices.
Thank you, I've been searching for it all day.
let us know if you face any issue in configuring this