autopush-rs
autopush-rs copied to clipboard
Enforce VAPID headers for any subscription provider that sends more than a small number of updates a day
Because we can't have nice things, we get stuff like: https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/
Google already requires VAPID headers for subscription updates. This would help us isolate potentially abusive providers who may be using large scale services like AWS.