PWA Platform

Your PWA,

protected.

PWA assets served from a CDN are publicly reachable — and without protection, anyone can hotlink your service worker, clone your manifest, or tamper with cached scripts. pageflare's asset hardening layer binds your PWA assets to your domain and signs them cryptographically, so only your site can use them.

Origin-bound
Assets locked to your domain
HMAC-signed
Tamper-proof delivery
Edge-enforced
Zero performance cost
Hardening features

Defense at every layer,
zero overhead.

Origin Binding

Your service worker, manifest, and PWA assets are issued with an origin claim. If a request comes from a different domain, pageflare's edge rejects it — preventing your SW from being registered on cloned or scraped copies of your site.

HMAC Asset Signing

Critical assets — your service worker script and manifest.json — are HMAC-signed on every delivery. The pageflare client verifies the signature before trusting the asset. Tampered responses are detected and discarded.

Referer Validation

Asset requests without a valid Referer header matching your registered domain are blocked at the edge. Hotlinking your icons or service worker from other sites returns a 403 — not a silent success.

CORS Lock

Your manifest and SW endpoint are served with strict CORS headers. Cross-origin requests from unauthorized domains get a CORS error, not a successful response. Tight by default, with per-domain allowlisting for staging environments.

Code Obfuscation

The pageflare client script is obfuscated and version-locked per site. Extracting credentials or configuration requires defeating per-site obfuscation — not just copying a plain-text config object from DevTools.

License Gating

Each pageflare license is tied to a domain and verified on every edge request. Service worker delivery is blocked for domains not on your account. Moving to a new domain requires re-issuing — preventing resale or redistribution.

How it works

Secure by default.
Configured in minutes.

1

Add your domain

Register your domain in the pageflare dashboard. Your site ID is bound to that domain — assets issued for it will only be served to requests originating there.

2

Hardening is automatic

Origin binding, HMAC signing, and CORS locking are active by default for every pageflare site. No extra configuration. Advanced options like referer validation and obfuscation strength are available in Security settings.

3

Monitor in the dashboard

The Security tab shows blocked requests by type — unauthorized origins, failed signature checks, CORS violations. Use this to detect scraping attempts or misconfigured staging environments.

Get started

Hardened from day one. Start free.

Install the CLI, point it at your build output, and see results in under two seconds.